PDA

View Full Version : Virtumonde or something else?



slhurban
2008-08-27, 09:34
I have been infected by Virtumonde and have scanned and "fixed" the errors, disconnected from the internet and rebooted my machine to find the virus is still detected. I did two virtumonde removals "VundoFix" and "f-Vmonde" which both indicated I was not infected. I am plagued with pop-ups and porn. I have included the HijackThis scan log. I hope someone is able to help me. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:55 AM, on 27/08/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Smileycons\smileycons.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\conime.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\yayvTnoP.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Smileycons] C:\Program Files\Smileycons\smileycons.exe
O4 - HKCU\..\Run: [603aa95c] rundll32.exe "C:\Users\Sandy\AppData\Local\Temp\dsyyvkmo.dll",b
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Sandy\AppData\Local\Temp\opnnOGVL.dll,#1
O4 - HKCU\..\Run: [BM63099ac0] Rundll32.exe "C:\Users\Sandy\AppData\Local\Temp\vsjxcgdf.dll",s
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Sandy\AppData\Local\Temp\xxyxVoMe.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-ca/wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor2/sis/mjolauncher.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218825801695&h=12ae028c8964b444fe939381d839cf3c/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game01.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoshare.shaw.ca/files/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 10942 bytes

__RiP_ChAiN_
2008-08-28, 02:20
Hello slhurban,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

----------------------------------------------- Step 2

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

slhurban
2008-08-28, 03:41
Thank you for your prompt reply to my problem.

I have done as indicated and I have included the requested logs.

1. uninstall_list

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
CCleaner (remove only)
Copy Utility
Corel Paint Shop Pro Photo X2
DesignPro 5.0 Limited Edition
DirectXInstallService
EMC 10 Content
EPSON Smart Panel
EPSON TWAIN 5
FreeAgent Pro Tools
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
InterVideo DeviceService
iTunes
Java(TM) 6 Update 7
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Digital Image Standard 2006
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Location Finder
Microsoft Money 2006
Microsoft Silverlight
Microsoft Streets & Trips 2006
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
NVIDIA Drivers
Oblivion
Oblivion - Construction Set
Oblivion mod manager 1.1.8
Python 2.5.1
QuickTime
RealArcade
Realtek High Definition Audio Driver
Recover My Files
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio Easy Media Creator 10 Suite
Roxio File Backup
Roxio MediaShare
Roxio Update Manager
ScanToWeb
Shaw Secure 2.0
Skype™ 3.6
SmartSound Quicktracks Plugin
Smileycons 6.0.1
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.0
System Requirements Lab
Ulead VideoStudio 11
Unofficial Oblivion Patch v2.2.0
Unofficial Shivering Isles Patch v1.2.0
Vista Codec Package
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
WinRAR archiver
wxPython 2.8.7.1 (ansi) for Python 2.5


2. ComboFix

ComboFix 08-08-26.03 - Sandy 2008-08-27 17:54:04.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.969 [GMT -6:00]
Running from: C:\Users\Sandy\Desktop\Diagnostics & Repairs\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Sandy\AppData\Local\Temp\dsyyvkmo.dll
C:\Users\Sandy\AppData\Local\Temp\ncwdgiqe.dll
C:\Users\Sandy\AppData\Local\Temp\xxyxVoMe.dll
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\#SharedObjects\UD5T93SZ\bin.clearspring.com
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\#SharedObjects\UD5T93SZ\bin.clearspring.com\clearspring.sol
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\#SharedObjects\UD5T93SZ\static.youku.com
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\#SharedObjects\UD5T93SZ\static.youku.com\v1.0.0317\v\swf\qplayer.swf\qplayer.sol
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Users\Sandy\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Users\Sandy\ctfmon.exe
C:\Windows\system32\MSINET.oca
C:\Windows\system32\nnnkHbAs.dll
C:\Windows\system32\yayvTnoP.dll
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-27 10:04 . 2008-08-27 10:04 <DIR> d-------- C:\Program Files\CCleaner
2008-08-27 00:17 . 2008-08-27 00:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 23:15 . 2008-08-26 23:15 <DIR> d-------- C:\VundoFix Backups
2008-08-26 19:36 . 2008-08-26 23:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-26 12:43 . 2008-08-26 12:43 <DIR> d-------- C:\Windows\System32\eMaxt02
2008-08-26 12:43 . 2008-08-26 12:43 <DIR> d-------- C:\temp\bbc2
2008-08-26 12:43 . 2008-08-26 12:43 511 --a------ C:\Users\Sandy\481.bat
2008-08-25 20:23 . 2008-08-25 20:23 <DIR> d-------- C:\Users\Sandy\AppData\Roaming\eBookPro6
2008-08-25 18:47 . 2008-07-18 23:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-25 18:47 . 2008-07-18 21:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-25 18:47 . 2008-07-18 23:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-25 18:47 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-25 18:47 . 2008-07-18 21:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-25 18:47 . 2008-07-18 23:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-25 18:47 . 2008-07-18 23:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-25 18:47 . 2008-07-18 23:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-25 18:47 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-21 12:51 . 2008-08-21 12:51 <DIR> d-------- C:\Program Files\Canon
2008-08-15 12:42 . 2008-08-15 12:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-15 12:14 . 2008-08-15 12:14 <DIR> d-------- C:\Program Files\Smileycons
2008-08-15 03:03 . 2008-07-15 19:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 14:06 . 2008-06-26 22:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-14 14:06 . 2008-06-18 21:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 14:06 . 2008-04-17 23:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 14:05 . 2008-06-26 19:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 14:05 . 2008-04-09 23:12 738,304 --a------ C:\Windows\System32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 21:15 --------- d-----w C:\Program Files\LimeWire
2008-08-27 00:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-26 23:47 --------- d---a-w C:\ProgramData\TEMP
2008-08-26 23:42 --------- d-----w C:\Users\Sandy\AppData\Roaming\LimeWire
2008-08-25 18:49 46,570 ----a-w C:\Users\Sandy\AppData\Roaming\wklnhst.dat
2008-08-25 15:38 2,516 ----a-w C:\Windows\System32\KGyGaAvL.sys
2008-08-19 15:31 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-15 18:43 --------- d-----w C:\Program Files\Java
2008-08-15 18:04 --------- d-----w C:\Program Files\Google
2008-08-15 09:10 --------- d-----w C:\Program Files\Windows Mail
2008-07-24 16:02 --------- d-----w C:\ProgramData\Roxio
2008-07-21 23:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-11 14:54 --------- d-----w C:\ProgramData\WindowsSearch
2008-07-11 14:31 --------- d-----w C:\Users\Sandy\AppData\Roaming\Roxio
2008-07-10 17:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 17:33 --------- d-s---w C:\ProgramData\Seagate
2008-07-10 17:33 --------- d-----w C:\Program Files\Seagate
2008-07-10 17:33 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-07-10 14:09 130,904 ----a-w C:\Users\Sandy\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-07-09 15:46 --------- d-----w C:\ProgramData\SmartSound Software Inc
2008-07-08 23:03 --------- d-----w C:\Program Files\InterActual
2008-07-08 22:57 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-07-08 22:56 --------- d-----w C:\Program Files\Roxio
2008-07-08 22:55 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-07-08 22:54 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-07-08 22:50 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-08 20:18 --------- d-----w C:\ProgramData\Sonic
2008-07-08 20:10 --------- d-----w C:\ProgramData\eSellerate
2008-07-08 20:10 --------- d-----w C:\Program Files\SmartSound Software
2008-07-08 20:09 --------- d-----w C:\ProgramData\InstallShield
2008-07-08 20:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-07 16:30 --------- d-----w C:\Users\Sandy\AppData\Roaming\Panasonic
2008-07-07 16:19 0 ------w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-07 16:18 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-07-07 16:18 --------- d-----w C:\Program Files\ArcSoft
2008-07-07 16:15 --------- d-----w C:\Users\Sandy\AppData\Roaming\ArcSoft
2008-07-07 16:03 --------- d-----w C:\ProgramData\ArcSoft
2008-06-30 22:51 --------- d-----w C:\ProgramData\Tanagra
2008-06-30 22:51 --------- d-----w C:\Program Files\Memeo
2008-06-27 01:57 --------- d-----w C:\Program Files\GetData
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-29 04:08 174 --sha-w C:\Program Files\desktop.ini
2008-05-28 11:25 82,432 ------w C:\Windows\System32\axaltocm.dll
2008-05-28 11:25 101,888 ------w C:\Windows\System32\ifxcardm.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2007-12-05 01:38 32 ----a-w C:\Users\All Users\ezsid.dat
2007-12-05 01:38 32 ----a-w C:\ProgramData\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 01:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 01:33 125952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 01:33 202240]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-15 12:04 39408]
"Smileycons"="C:\Program Files\Smileycons\smileycons.exe" [2007-05-14 07:04 1368064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 13:12 341488]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"F-Secure TNB"="C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-04-26 05:41 733184]
"F-Secure Manager"="C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-04-26 05:43 176177]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-09-12 12:00 531272]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 15:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 03:44 113136]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 15:50 4399104 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-03-13 18:55 1822720 C:\Windows\SkyTel.exe]

C:\Users\Sandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe [2008-01-14 11:48:32 95456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{43DC614F-0AF2-4F17-9B8A-9ACA9096B690}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{1C22589A-0171-4F97-86B7-2ECDEAE07210}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{88E96B3D-39B9-4E32-9F36-BE492F8667BF}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F2FCD235-D1DE-4A26-AD27-766E6432D930}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{8F199350-6643-4368-9354-FB6F77567488}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{C78987BD-EB24-4FB8-A31E-1F33B1B37871}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{F158A83B-D29E-40C0-A024-025C06B61EDE}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{B2AA1ED3-CFB8-4934-892C-4943EBEAE42B}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9FA1F399-409E-4446-A68B-8E81682A5B23}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-02-13 17:57]
R1 FSES;F-Secure Email Scanning Driver;C:\Windows\system32\drivers\fses.sys [2007-04-26 05:43]
R1 FSFW;F-Secure Firewall Driver;C:\Windows\system32\drivers\fsdfw.sys [2008-03-17 08:04]
R1 fsvista;F-Secure Vista Support Driver;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2007-04-26 05:42]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-04-26 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-04-26 05:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{359b423b-44c4-11dd-acf7-001a9244d132}]
\shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94e7ece-6df7-11dc-8e6a-806e6f6e6963}]
\shell\AutoRun\command - D:\OblivionLauncher.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\Windows\Tasks\Scheduled scanning task.job
- C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav.exe [2007-04-26 05:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-MSServer - C:\Windows\system32\yayvTnoP.dll
ShellExecuteHooks-{696201FB-39A5-4903-8F74-9FFCF8811C24} - C:\Windows\system32\yayvTnoP.dll


.
------- Supplementary Scan -------
.

O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
C:\Windows\Downloaded Program Files\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.3\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.4\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.5\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.6\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.7\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.8\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.9\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.10\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.11\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.12\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.13\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.14\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.15\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.16\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.17\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.18\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.19\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.20\stg_drm.ocx
C:\Windows\Downloaded Program Files\CONFLICT.21\stg_drm.ocx

O16 -: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
C:\Windows\Downloaded Program Files\2020Player.inf

O16 -: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
C:\Windows\Downloaded Program Files\PogoWebLauncher.ocx

O16 -: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
C:\Windows\Downloaded Program Files\SpinTopGamesLauncher.inf
C:\Windows\Downloaded Program Files\SpinTopGamesLauncher.dll

O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game01.zylom.com/activex/zylomgamesplayer.cab
C:\Windows\Downloaded Program Files\ZylomGamesPlayer.inf
C:\Windows\Downloaded Program Files\zylomgamesplayer.dll

O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
C:\Windows\Downloaded Program Files\armhelper.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 18:00:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe
C:\Windows\System32\PSIService.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Windows\System32\conime.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Windows\ehome\ehrecvr.exe
.
**************************************************************************
.
Completion time: 2008-08-27 18:09:35 - machine was rebooted [Sandy]
ComboFix-quarantined-files.txt 2008-08-28 00:08:01

Pre-Run: 163,662,864,384 bytes free
Post-Run: 166,529,990,656 bytes free

282 --- E O F --- 2008-08-26 20:40:26


3. New HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:36, on 2008-08-27
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Smileycons\smileycons.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Smileycons] C:\Program Files\Smileycons\smileycons.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-ca/wlscctrl2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor2/sis/mjolauncher.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218825801695&h=12ae028c8964b444fe939381d839cf3c/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://download-games.pogo.com/online2/pogo/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game01.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoshare.shaw.ca/files/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 9821 bytes

__RiP_ChAiN_
2008-08-28, 06:24
Hello slhurban,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\Users\Sandy\481.bat
Folder::
C:\Windows\System32\eMaxt02
C:\temp\bbc2
C:\Program Files\LimeWire
C:\Users\Sandy\AppData\Roaming\LimeWire

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

slhurban
2008-08-28, 06:45
Again, thank you very much. I have included the Combofix.txt log.

ComboFix 08-08-26.03 - Sandy 2008-08-27 21:39:05.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.933 [GMT -6:00]
Running from: C:\Users\Sandy\Desktop\Diagnostics & Repairs\ComboFix.exe
Command switches used :: C:\Users\Sandy\Desktop\Diagnostics & Repairs\CFScript.txt
* Created a new restore point

FILE ::
C:\Users\Sandy\481.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\LimeWire
C:\Program Files\LimeWire\aopalliance.pack
C:\Program Files\LimeWire\clink.pack
C:\Program Files\LimeWire\commons-codec-1.3.pack
C:\Program Files\LimeWire\commons-logging.pack
C:\Program Files\LimeWire\commons-net.pack
C:\Program Files\LimeWire\daap.pack
C:\Program Files\LimeWire\dnsjava.pack
C:\Program Files\LimeWire\forms.pack
C:\Program Files\LimeWire\foxtrot.pack
C:\Program Files\LimeWire\gettext-commons.pack
C:\Program Files\LimeWire\guice-1.0.pack
C:\Program Files\LimeWire\hsqldb.pack
C:\Program Files\LimeWire\httpclient-4.0-alpha5-20080522.192134-5.pack
C:\Program Files\LimeWire\httpcore-4.0-beta2-20080510.140437-10.pack
C:\Program Files\LimeWire\httpcore-nio-4.0-beta2-20080510.140437-10.pack
C:\Program Files\LimeWire\icu4j.pack
C:\Program Files\LimeWire\jaudiotagger.pack
C:\Program Files\LimeWire\jcraft.pack
C:\Program Files\LimeWire\jdic.pack
C:\Program Files\LimeWire\jdic_stub.pack
C:\Program Files\LimeWire\jflac.pack
C:\Program Files\LimeWire\jl.pack
C:\Program Files\LimeWire\jmdns.pack
C:\Program Files\LimeWire\jogg.pack
C:\Program Files\LimeWire\jorbis.pack
C:\Program Files\LimeWire\lib\commons-httpclient.jar
C:\Program Files\LimeWire\lib\commons-pool.jar
C:\Program Files\LimeWire\lib\httpcore-nio.jar
C:\Program Files\LimeWire\lib\httpcore.jar
C:\Program Files\LimeWire\lib\id3v2.jar
C:\Program Files\LimeWire\lib\UnpackedJars.7z
C:\Program Files\LimeWire\LimeWire.jar.tmp
C:\Program Files\LimeWire\log4j.pack
C:\Program Files\LimeWire\looks.pack
C:\Program Files\LimeWire\messages.pack
C:\Program Files\LimeWire\mp3spi.pack
C:\Program Files\LimeWire\onion-common.pack
C:\Program Files\LimeWire\onion-fec.pack
C:\Program Files\LimeWire\ProgressTabs.pack
C:\Program Files\LimeWire\swt.pack
C:\Program Files\LimeWire\themes.pack
C:\Program Files\LimeWire\tritonus.pack
C:\Program Files\LimeWire\vorbisspi.pack
C:\temp\bbc2
C:\Users\Sandy\481.bat
C:\Users\Sandy\AppData\Roaming\LimeWire
C:\Users\Sandy\AppData\Roaming\LimeWire\414splashfree.png
C:\Users\Sandy\AppData\Roaming\LimeWire\active.mojito
C:\Users\Sandy\AppData\Roaming\LimeWire\certificate\limewire.keystore
C:\Users\Sandy\AppData\Roaming\LimeWire\createtimes.cache
C:\Users\Sandy\AppData\Roaming\LimeWire\downloads.dat
C:\Users\Sandy\AppData\Roaming\LimeWire\fileurns.bak
C:\Users\Sandy\AppData\Roaming\LimeWire\fileurns.cache
C:\Users\Sandy\AppData\Roaming\LimeWire\filters.props
C:\Users\Sandy\AppData\Roaming\LimeWire\gnutella.net
C:\Users\Sandy\AppData\Roaming\LimeWire\installation.props
C:\Users\Sandy\AppData\Roaming\LimeWire\library.dat
C:\Users\Sandy\AppData\Roaming\LimeWire\limewire.props
C:\Users\Sandy\AppData\Roaming\LimeWire\mojito.props
C:\Users\Sandy\AppData\Roaming\LimeWire\promotion\promodb.backup
C:\Users\Sandy\AppData\Roaming\LimeWire\promotion\promodb.data
C:\Users\Sandy\AppData\Roaming\LimeWire\promotion\promodb.properties
C:\Users\Sandy\AppData\Roaming\LimeWire\promotion\promodb.script
C:\Users\Sandy\AppData\Roaming\LimeWire\questions.props
C:\Users\Sandy\AppData\Roaming\LimeWire\responses.cache
C:\Users\Sandy\AppData\Roaming\LimeWire\simpp.xml
C:\Users\Sandy\AppData\Roaming\LimeWire\spam.dat
C:\Users\Sandy\AppData\Roaming\LimeWire\tables.props
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme.lwtp
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\01_star.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\02_star.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\03_star.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\04_star.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\05_star.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\chat.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\forward_dn.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\forward_up.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\kill.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\kill_on.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\logo.png
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\notsearching.png
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\pause_dn.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\pause_up.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\play_dn.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\play_up.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\question.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\rewind_up.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\searching.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\splash.png
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\splashpro.png
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\stop_dn.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\stop_up.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\theme.txt
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\version.txt
C:\Users\Sandy\AppData\Roaming\LimeWire\themes\windows_theme\warning.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\ttree.cache
C:\Users\Sandy\AppData\Roaming\LimeWire\ttrees.cache
C:\Users\Sandy\AppData\Roaming\LimeWire\ttroot.cache
C:\Users\Sandy\AppData\Roaming\LimeWire\version.xml
C:\Users\Sandy\AppData\Roaming\LimeWire\versions.props
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\data\audio.sxml2
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\data\delete_me
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\data\video.sxml2
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\misc\application.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\misc\audio.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\misc\document.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\misc\image.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\misc\video.gif
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\schemas\application.xsd
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\schemas\audio.xsd
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\schemas\document.xsd
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\schemas\image.xsd
C:\Users\Sandy\AppData\Roaming\LimeWire\xml\schemas\video.xsd
C:\Windows\System32\eMaxt02
C:\Windows\System32\eMaxt02\eMaxt022328.0xe

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-27 10:04 . 2008-08-27 10:04 <DIR> d-------- C:\Program Files\CCleaner
2008-08-27 00:17 . 2008-08-27 00:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 23:15 . 2008-08-26 23:15 <DIR> d-------- C:\VundoFix Backups
2008-08-26 19:36 . 2008-08-26 23:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-25 20:23 . 2008-08-25 20:23 <DIR> d-------- C:\Users\Sandy\AppData\Roaming\eBookPro6
2008-08-25 18:47 . 2008-07-18 23:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-25 18:47 . 2008-07-18 21:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-25 18:47 . 2008-07-18 23:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-25 18:47 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-25 18:47 . 2008-07-18 21:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-25 18:47 . 2008-07-18 23:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-25 18:47 . 2008-07-18 23:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-25 18:47 . 2008-07-18 23:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-25 18:47 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-21 12:51 . 2008-08-21 12:51 <DIR> d-------- C:\Program Files\Canon
2008-08-15 12:42 . 2008-08-15 12:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-15 12:14 . 2008-08-15 12:14 <DIR> d-------- C:\Program Files\Smileycons
2008-08-15 03:03 . 2008-07-15 19:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 14:06 . 2008-06-26 22:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-14 14:06 . 2008-06-18 21:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 14:06 . 2008-04-17 23:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 14:05 . 2008-06-26 19:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 14:05 . 2008-04-09 23:12 738,304 --a------ C:\Windows\System32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 03:36 --------- d---a-w C:\ProgramData\TEMP
2008-08-28 01:18 46,958 ----a-w C:\Users\Sandy\AppData\Roaming\wklnhst.dat
2008-08-28 00:55 2,516 ----a-w C:\Windows\System32\KGyGaAvL.sys
2008-08-27 00:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-19 15:31 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-15 18:43 --------- d-----w C:\Program Files\Java
2008-08-15 18:04 --------- d-----w C:\Program Files\Google
2008-08-15 09:10 --------- d-----w C:\Program Files\Windows Mail
2008-07-24 16:02 --------- d-----w C:\ProgramData\Roxio
2008-07-21 23:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-11 14:54 --------- d-----w C:\ProgramData\WindowsSearch
2008-07-11 14:31 --------- d-----w C:\Users\Sandy\AppData\Roaming\Roxio
2008-07-10 17:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 17:33 --------- d-s---w C:\ProgramData\Seagate
2008-07-10 17:33 --------- d-----w C:\Program Files\Seagate
2008-07-10 17:33 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-07-10 14:09 130,904 ----a-w C:\Users\Sandy\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-07-09 15:46 --------- d-----w C:\ProgramData\SmartSound Software Inc
2008-07-08 23:03 --------- d-----w C:\Program Files\InterActual
2008-07-08 22:57 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-07-08 22:56 --------- d-----w C:\Program Files\Roxio
2008-07-08 22:55 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-07-08 22:54 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-07-08 22:50 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-08 20:18 --------- d-----w C:\ProgramData\Sonic
2008-07-08 20:10 --------- d-----w C:\ProgramData\eSellerate
2008-07-08 20:10 --------- d-----w C:\Program Files\SmartSound Software
2008-07-08 20:09 --------- d-----w C:\ProgramData\InstallShield
2008-07-08 20:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-07 16:30 --------- d-----w C:\Users\Sandy\AppData\Roaming\Panasonic
2008-07-07 16:19 0 ------w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-07 16:18 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-07-07 16:18 --------- d-----w C:\Program Files\ArcSoft
2008-07-07 16:15 --------- d-----w C:\Users\Sandy\AppData\Roaming\ArcSoft
2008-07-07 16:03 --------- d-----w C:\ProgramData\ArcSoft
2008-06-30 22:51 --------- d-----w C:\ProgramData\Tanagra
2008-06-30 22:51 --------- d-----w C:\Program Files\Memeo
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-29 04:08 174 --sha-w C:\Program Files\desktop.ini
2008-05-28 11:25 82,432 ------w C:\Windows\System32\axaltocm.dll
2008-05-28 11:25 101,888 ------w C:\Windows\System32\ifxcardm.dll
2007-12-05 01:38 32 ----a-w C:\Users\All Users\ezsid.dat
2007-12-05 01:38 32 ----a-w C:\ProgramData\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-27_18.05.30.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 23:59:11 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-27 23:59:11 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2006-11-02 09:46:13 41,472 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
- 2008-08-27 23:21:23 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-28 02:00:12 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-27 23:21:23 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-28 02:00:12 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-27 23:21:23 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-28 02:00:12 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-27 23:59:35 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-28 03:41:24 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-27 20:55:27 16,384 ------w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-27 23:59:11 16,384 ------w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-27 20:55:27 32,768 ------w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-27 23:59:11 32,768 ------w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-27 20:55:27 16,384 ------w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-27 23:59:11 16,384 ------w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-27 21:27:15 10,158 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4130232859-2869537293-3842332275-1000_UserData.bin
+ 2008-08-28 00:01:11 10,404 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4130232859-2869537293-3842332275-1000_UserData.bin
- 2008-08-27 21:27:14 57,412 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-28 00:01:04 57,498 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-27 21:27:13 47,912 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-28 00:00:57 48,328 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 01:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 01:33 125952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 01:33 202240]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-15 12:04 39408]
"Smileycons"="C:\Program Files\Smileycons\smileycons.exe" [2007-05-14 07:04 1368064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 13:12 341488]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"F-Secure TNB"="C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" [2007-04-26 05:41 733184]
"F-Secure Manager"="C:\Program Files\Shaw Secure\Common\FSM32.EXE" [2007-04-26 05:43 176177]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-09-12 12:00 531272]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 15:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 03:44 113136]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 15:50 4399104 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-03-13 18:55 1822720 C:\Windows\SkyTel.exe]

C:\Users\Sandy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe [2008-01-14 11:48:32 95456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{43DC614F-0AF2-4F17-9B8A-9ACA9096B690}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{1C22589A-0171-4F97-86B7-2ECDEAE07210}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{88E96B3D-39B9-4E32-9F36-BE492F8667BF}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F2FCD235-D1DE-4A26-AD27-766E6432D930}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{8F199350-6643-4368-9354-FB6F77567488}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{C78987BD-EB24-4FB8-A31E-1F33B1B37871}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{F158A83B-D29E-40C0-A024-025C06B61EDE}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{B2AA1ED3-CFB8-4934-892C-4943EBEAE42B}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9FA1F399-409E-4446-A68B-8E81682A5B23}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Shaw Secure\HIPS\fshs.sys [2008-02-13 17:57]
R1 FSES;F-Secure Email Scanning Driver;C:\Windows\system32\drivers\fses.sys [2007-04-26 05:43]
R1 FSFW;F-Secure Firewall Driver;C:\Windows\system32\drivers\fsdfw.sys [2008-03-17 08:04]
R1 fsvista;F-Secure Vista Support Driver;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2007-04-26 05:42]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2007-04-26 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2007-04-26 05:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{359b423b-44c4-11dd-acf7-001a9244d132}]
\shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94e7ece-6df7-11dc-8e6a-806e6f6e6963}]
\shell\AutoRun\command - D:\OblivionLauncher.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\Windows\Tasks\Scheduled scanning task.job
- C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav.exe [2007-04-26 05:42]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 21:41:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-27 21:43:59
ComboFix-quarantined-files.txt 2008-08-28 03:42:57
ComboFix2.txt 2008-08-28 00:09:36

Pre-Run: 165,879,783,424 bytes free
Post-Run: 165,844,852,736 bytes free

312 --- E O F --- 2008-08-26 20:40:26

__RiP_ChAiN_
2008-08-28, 06:50
Hello slhurban,

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

slhurban
2008-08-28, 09:02
Malwarebytes installed and scan was completed. No infections were found. Log is pasted below.

Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 6.0.6001 Service Pack 1

23:59:39 2008-08-27
mbam-log-08-27-2008 (23-59-39).txt

Scan type: Quick Scan
Objects scanned: 42680
Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

__RiP_ChAiN_
2008-08-28, 19:44
Hello slhurban,

Your logs are looking a lot better, hos is your computer currently running?

slhurban
2008-08-28, 21:14
Running well thank you very much! Any tips on how to get rid of old things that linger? Game files and such? Would I use the CCleaner for that.

Thanks so very much your help. I appreciate it very much.

__RiP_ChAiN_
2008-08-28, 21:45
Hello slhurban,


Running well thank you very much! Any tips on how to get rid of old things that linger? Game files and such? Would I use the CCleaner for that.
CCleaner would be one option, ATF Cleaner is also a viable option.

Please delete the following folder:

C:\VundoFix Backups

Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.



http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png



When shown the disclaimer, Select "2"


Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

slhurban
2008-08-29, 02:33
Thanks for your support. I have updated my SpywareBlaster, added IE-SPYAD and checked to ensure my IE security settings are set as you suggested. I had trouble with the MVPS Hosts. I felt I was following the instructions to set it up by the "send to" option but when right clicking on the the right panel to click New/shortcut there was no new dialogue box to continue. I use Vista so that is the method I was attempting.

I have one final question, is SpywareGuard the same as SpywareBlaster? Should I have both or are they both realtime protection and since I have the one not add the other?

Thanks,

__RiP_ChAiN_
2008-08-29, 06:22
Hello slhurban,


I had trouble with the MVPS Hosts. I felt I was following the instructions to set it up by the "send to" option but when right clicking on the the right panel to click New/shortcut there was no new dialogue box to continue. I use Vista so that is the method I was attempting.
Have you seen this page (http://mvps.org/winhelp2002/hostsvista.htm) yet?


I have one final question, is SpywareGuard the same as SpywareBlaster? Should I have both or are they both realtime protection and since I have the one not add the other?
They are slightly different, SpywareBlaster primarily protects agasint malcious ActiveX controls, while SpywareGuard is a real time protection program. You should be fine to use both programs if you wish to.

slhurban
2008-08-29, 18:49
Hello slhurban,


Have you seen this page (http://mvps.org/winhelp2002/hostsvista.htm) yet?

Yes, that is the page I was working from. I got to the "sendto" page but the instructions read:

Next: Right-click in the right pane and select: New > shortcut [screenshot]
In the next dialog box click Browse and navigate to: Windows\System32\drivers\etc
Click Ok and in the next dialog box name the shortcut (example) Update Hosts

I did the right-click on the pane as shown in the screenshot but did not get a dialog box. No action resulted. Am I supposed to temporarily turn off the UAC? Not sure how to proceed here. Your help is appreciated.



They are slightly different, SpywareBlaster primarily protects agasint malcious ActiveX controls, while SpywareGuard is a real time protection program. You should be fine to use both programs if you wish to.

Thank you, I have now installed SpywareGuard and have all the short cuts in one place so I can continue regular checks and updates. :bigthumb:

__RiP_ChAiN_
2008-08-30, 11:16
Hello slhurban,

You can probably just skip the MVPS hosts file if you wish, I don't forsee it being worth all the trouble of getting it to work. The other programs you installed should keep you very well off.


Thank you, I have now installed SpywareGuard and have all the short cuts in one place so I can continue regular checks and updates.
Excellent:D:

slhurban
2008-08-30, 19:59
:bigthumb: A big thanks for all your help.