PDA

View Full Version : not sure what I've got.



karmapaymentplan
2009-01-24, 19:35
Hello, I've come home to visit my parent's computer and it appears they've picked up some malware i think. Nothing comes up on any spybot or AVG scans, but they keep getting ad pop-ups when they're not even browsing sometimes. Also might be something else but the keyboard and mouse often don't work and you have to restart/unplug the keyboard or mouse again to get it to work... that might just be a physical problem though, but I don't see why.

Here is the HJT log, and thank you in advance for any help you can give :)

Sam

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:18, on 24/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\sttray.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Users\Mick\AppData\Local\swmia.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Creative\ZENcast Organizer\CTZenCu.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [xccgj] "c:\users\mick\appdata\local\xccgj.exe" xccgj
O4 - HKCU\..\Run: [oigky] "c:\users\mick\appdata\local\oigky.exe" oigky
O4 - HKCU\..\Run: [swmia] "c:\users\mick\appdata\local\swmia.exe" swmia
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CTRegRun] C:\Windows\CTRegRun.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11138 bytes

pskelley
2009-01-29, 00:06
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

If you still need help, and you have read and followed the "Before you Post" directions, post a new HJT log since it has been four days, and I will take a look, please describe any recent symptoms.

Before you post the log, make sure you read the directions again and disable TeaTimer as instructed.

Thanks

karmapaymentplan
2009-01-30, 20:22
Hi, that's fine you don't need to apologize, I am just very grateful that you guys do this and all for free as well. The symptoms are that it has pop ups when not even browsing, explorer crashes (might just need to be defragmented though), and occassionally on start up the mouse and keyboard doesn't work and you have to unplug them and plug them back in to get it to work (this may be unrelated as we've had this problem since before the pop-ups and such)

Thank you very much for the help in advance,

Sam

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:18, on 24/01/2009

pskelley
2009-01-30, 20:43
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

Make sure you run all tools as administrator in Vista.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks...Phil

karmapaymentplan
2009-02-01, 16:58
Hi, just a quick note that as I spend my week days away from home, I won't be able to do anything else after this until next weekend - Just in case you were waiting a long time for a reply from me.

Combo fix log:

ComboFix 09-01-31.03 - Mick 2009-02-01 14:41:11.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1157 [GMT 0:00]
Running from: c:\users\Mick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Mick\AppData\Local\swmia.dat
c:\users\Mick\AppData\Local\swmia.exe
c:\users\Mick\AppData\Local\swmia_nav.dat
c:\users\Mick\AppData\Local\swmia_navps.dat
c:\users\Mick\AppData\Roaming\Starware353
c:\users\Mick\AppData\Roaming\Starware353\Manager\ManagerOptions.xml
c:\users\Mick\AppData\Roaming\Starware353\Manager\ManagerOptions.xml.backup

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-02-01 13:53 . 2009-02-01 13:53 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-01-24 17:31 . 2009-01-24 17:31 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 17:30 . 2009-01-24 17:31 <DIR> d-------- c:\program files\ERUNT
2009-01-24 17:03 . 2009-01-28 19:26 <DIR> d-------- c:\users\Mick\AppData\Roaming\Creative
2009-01-24 16:44 . 2009-01-24 16:44 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-01-24 16:39 . 2006-10-05 22:17 53,248 --------- c:\windows\Ctregrun.exe
2009-01-24 16:38 . 2009-01-25 17:11 <DIR> d-------- c:\program files\Audible
2009-01-24 16:38 . 2009-01-24 16:38 417,792 --a------ c:\windows\System32\awrdscdc.ax
2009-01-24 16:38 . 2001-08-17 22:43 24,576 --------- c:\windows\System32\msxml3a.dll
2009-01-24 16:36 . 2009-01-24 16:43 <DIR> d-------- c:\programdata\Creative
2009-01-24 16:34 . 2009-01-24 16:36 <DIR> d--h----- c:\program files\Creative Installation Information
2009-01-24 16:34 . 2009-01-24 16:39 <DIR> d-------- c:\program files\Creative
2009-01-24 16:34 . 2009-01-24 16:34 <DIR> d-------- c:\program files\Common Files\Creative
2009-01-14 14:13 . 2008-12-16 02:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-03 21:47 . 2009-01-03 21:47 <DIR> d-------- C:\Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 14:44 --------- d-----w c:\programdata\Kontiki
2009-02-01 14:02 --------- d-----w c:\users\Mick\AppData\Roaming\uTorrent
2009-02-01 13:54 --------- d-----w c:\programdata\avg8
2009-02-01 13:53 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-01 13:53 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-01 13:53 0 ----a-w c:\windows\system32\drivers\avgwfpx.sys
2009-01-29 20:31 --------- d-----w c:\programdata\Roxio
2009-01-26 13:55 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-01-25 11:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-24 16:39 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 17:26 --------- d-----w c:\program files\Windows Mail
2009-01-04 14:22 10,628 ----a-w c:\users\Mick\AppData\Roaming\wklnhst.dat
2008-12-27 11:25 --------- d-----w c:\program files\Apple Software Update
2008-12-11 18:17 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-12-10 16:28 --------- d-----w c:\program files\Nokia
2008-12-04 17:24 174 --sha-w c:\program files\desktop.ini
2008-12-04 17:15 --------- d-----w c:\program files\Windows Sidebar
2008-12-04 17:15 --------- d-----w c:\program files\Windows Calendar
2008-12-04 17:14 --------- d-----w c:\program files\Windows Photo Gallery
2008-12-04 17:14 --------- d-----w c:\program files\Windows Journal
2008-12-04 17:14 --------- d-----w c:\program files\Windows Defender
2008-12-04 17:14 --------- d-----w c:\program files\Windows Collaboration
2008-12-04 16:32 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-12-04 16:32 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-12-01 16:16 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-01 16:16 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2008-12-01 16:11 --------- d-----w c:\programdata\Nokia
2008-12-01 16:08 --------- d-----w c:\programdata\Installations
2008-11-24 20:07 348,160 ----a-w c:\windows\System32\msvcr71.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2007-05-25 21:28 87,608 ----a-w c:\users\Mick\AppData\Roaming\ezpinst.exe
2007-05-25 21:28 47,360 ----a-w c:\users\Mick\AppData\Roaming\pcouffin.sys
2007-03-31 11:43 233,472 ----a-w c:\users\Mick\AppData\Roaming\REX Shared Library.dll
2007-03-31 11:43 225,280 ----a-w c:\users\Mick\AppData\Roaming\Rewire.dll
2008-03-21 23:36 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-21 23:36 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-21 23:36 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Jessops Insert Detect"="c:\program files\Jessops\Picture Suite\InsDetect.exe" [2003-02-17 262144]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"CTRegRun"="c:\windows\CTRegRun.EXE" [2006-10-05 53248]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-03-05 77824]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-25 1862144]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-11 339968]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-24 185872]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 c:\windows\sttray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G G

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8DD584A6-2F49-48EB-A113-AB42F7CD5C0C}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{75956507-FBDD-435B-B3FE-21A9EFA090F0}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{74A59043-876E-4B1A-A928-1BD658B89F24}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{98A4B517-D485-42A8-A58C-62C7E59DFFEB}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2BBC178A-D647-4391-929C-E508E3C71B3A}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{F8E7D027-4230-412E-BBC0-205594261EAF}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{2996E587-6A32-4F37-B6B0-C0F1832D7490}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"TCP Query User{94B1BDE3-3F07-4548-84AE-E012DFAD2830}c:\\program files\\speedtouch\\dr speedtouch\\drst.exe"= UDP:c:\program files\speedtouch\dr speedtouch\drst.exe:Dr SpeedTouch
"UDP Query User{C936782F-F83E-4DC9-AF54-1A7D2716438B}c:\\program files\\speedtouch\\dr speedtouch\\drst.exe"= TCP:c:\program files\speedtouch\dr speedtouch\drst.exe:Dr SpeedTouch
"TCP Query User{DA2B9C9E-D8DC-497F-9A48-40C38B145387}c:\\program files\\speedtouch\\dr speedtouch\\drst.exe"= UDP:c:\program files\speedtouch\dr speedtouch\drst.exe:Dr SpeedTouch
"UDP Query User{83E93DD3-44CF-4AA7-97E7-0BB5CA16C1B5}c:\\program files\\speedtouch\\dr speedtouch\\drst.exe"= TCP:c:\program files\speedtouch\dr speedtouch\drst.exe:Dr SpeedTouch
"TCP Query User{3C423F2C-DAA6-4E24-AF50-BB3BDE101EC1}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{EC712A36-0E8F-4876-A244-4FF95C022112}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{063DE617-BF3B-478B-98D0-CA81081735B7}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:utorrent
"UDP Query User{36990E88-520A-45DD-A678-FAAF7C9A2A63}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:utorrent
"TCP Query User{0C4CA30B-D333-4F42-A8C7-B4CD01E5F2FF}c:\\unrealtournament\\system\\unrealtournament.exe"= UDP:c:\unrealtournament\system\unrealtournament.exe:UnrealTournament
"UDP Query User{6586FF10-C101-4CC6-8CBF-90CEF0CB6380}c:\\unrealtournament\\system\\unrealtournament.exe"= TCP:c:\unrealtournament\system\unrealtournament.exe:UnrealTournament
"TCP Query User{1E83E9EE-232E-4378-87D0-11D790939DD3}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{107FEC66-5625-4465-9E8C-100F32BA3B89}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{B7EBB11B-50FE-4094-B22A-F3B63133D4CF}c:\\ut2004\\system\\ut2004.exe"= UDP:c:\ut2004\system\ut2004.exe:UT2004
"UDP Query User{D0433FDA-1FEC-40F1-9DCD-D9C81863E283}c:\\ut2004\\system\\ut2004.exe"= TCP:c:\ut2004\system\ut2004.exe:UT2004
"TCP Query User{9A6D3740-3F07-45D8-8CA6-D0D5902A7DA3}c:\\program files\\microsoft games\\halo\\halo.exe"= UDP:c:\program files\microsoft games\halo\halo.exe:Halo
"UDP Query User{4B846681-F949-4394-B8BC-365D45BCBF13}c:\\program files\\microsoft games\\halo\\halo.exe"= TCP:c:\program files\microsoft games\halo\halo.exe:Halo
"TCP Query User{EF60AF24-4C06-404F-BFF9-0FCD9A92B833}c:\\program files\\microsoft games\\age of empires iii\\age3.exe"= UDP:c:\program files\microsoft games\age of empires iii\age3.exe:Age of Empires 3
"UDP Query User{0AC1B4BC-7D1B-469F-9229-B816D6F4DB74}c:\\program files\\microsoft games\\age of empires iii\\age3.exe"= TCP:c:\program files\microsoft games\age of empires iii\age3.exe:Age of Empires 3
"{AA4F78BA-3D98-4B58-A239-DC5C4C9E37C4}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{9CD03FEF-8FB0-461B-9B65-C10D82032B90}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{B526F287-57D7-48D0-95FC-37683D672AA8}c:\\program files\\kontiki\\khost.exe"= UDP:c:\program files\kontiki\khost.exe:Delivery Manager
"UDP Query User{4D9603E5-45C5-40EB-BBD9-609C495649E2}c:\\program files\\kontiki\\khost.exe"= TCP:c:\program files\kontiki\khost.exe:Delivery Manager
"{BA388FB3-4D7A-4AA4-B674-80161FDBF2FE}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{4AA086AC-AB26-42DD-A1BC-75A82E060FDA}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{66D4088B-F2D2-4B5E-9311-348A0DC1AF82}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{9685866F-6D2C-4FAC-B418-55922260695E}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{3995D227-EC0B-4ED4-8818-11CD4D638AF6}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{78EFFC35-E6FB-43D9-A5CB-850E8CF12C1A}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{48AEDF35-E5F5-4E3C-8D45-E8E292879C53}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CDD72EAF-25A4-426C-87D2-7DE720E4522A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{43C250E0-05DD-41EA-8DF4-FDCB5D348680}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{7157A5B1-F18D-4264-BFFD-E3537B251A4C}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{EDD4045F-B366-45A6-91B8-F9D6C90326D7}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{E1588FE9-7018-4EE2-8ED0-BDE066763BD0}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{750EB7AD-4F9A-458B-AA55-2455D5BAD5B9}e:\\bin\\ia\\core\\mdm_util.exe"= UDP:e:\bin\ia\core\mdm_util.exe:MDM_Util
"UDP Query User{70477657-A031-4BD0-A861-C2E92627B9CE}e:\\bin\\ia\\core\\mdm_util.exe"= TCP:e:\bin\ia\core\mdm_util.exe:MDM_Util
"{D99EFE3A-7794-404F-A7F9-5DCD3AA09289}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{E61C10B3-F70C-45A8-BDFF-B5E7443E6924}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{AECD4AA9-B6EC-4455-AD92-A5A53A8B5C90}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{E07B0891-F26F-4C81-B518-509D106B032F}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"TCP Query User{16ED2F7C-F11E-4B94-B8AA-8EE8DB2BC452}c:\\program files\\thq\\dawn of war - dark crusade\\darkcrusade.exe"= UDP:c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"UDP Query User{23A27B11-96C4-4805-9381-5337FC014C08}c:\\program files\\thq\\dawn of war - dark crusade\\darkcrusade.exe"= TCP:c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"TCP Query User{739B732A-5237-40EE-A067-C567F8BB1753}c:\\program files\\thq\\dawn of war - soulstorm\\soulstorm.exe"= UDP:c:\program files\thq\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"UDP Query User{6CB2F7AB-7C27-4AE3-BC08-4B2631B40246}c:\\program files\\thq\\dawn of war - soulstorm\\soulstorm.exe"= TCP:c:\program files\thq\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"{741ECFF4-B311-4229-80DB-1C0A5D689E8E}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{82E89D51-447C-4836-BCCA-7707BA8D103E}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2008-06-13 325128]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-06-13 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-13 231704]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-01 107272]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\System32\drivers\FTD2XX.sys [2008-01-06 24197]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\System32\drivers\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\System32\drivers\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\System32\drivers\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\System32\drivers\s125obex.sys [2007-04-24 98696]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\User_Feed_Synchronization-{1E379770-FDDC-41B6-A5A1-DA54D707F47C}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 07:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-xccgj - c:\users\mick\appdata\local\xccgj.exe
HKCU-Run-oigky - c:\users\mick\appdata\local\oigky.exe
HKCU-Run-swmia - c:\users\mick\appdata\local\swmia.exe
HKLM-Run-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire Plus\PhotoDownloader.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tiscali.co.uk/broadband
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Mick\AppData\Roaming\Mozilla\Firefox\Profiles\h5shsoy8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 14:44:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(672)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-02-01 14:47:35
ComboFix-quarantined-files.txt 2009-02-01 14:47:33

Pre-Run: 28,664,774,656 bytes free
Post-Run: 29,490,741,248 bytes free

247 --- E O F --- 2009-01-29 20:07:55


Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:18, on 24/01/2009
End of file - 11138 bytes

Hijack this uninstall list

µTorrent
4oD
AC3Filter (remove only)
Acrobat.com
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9
Adobe Shockwave Player 11
Age of Empires III
Apple Mobile Device Support
Apple Software Update
AudibleManager
AVG Free 8.0
Bonjour
Corel Paint Shop Pro Photo XI
Corel Snapfire Plus
Creative System Information
Creative ZEN
Dawn Of War
Dawn of War - Dark Crusade
Dawn of War - Soulstorm
Dawn Of War - Winter Assault
Dell Resource CD
Dell Support Center (Support Software)
Dell System Customization Wizard
DellSupport
Disc2Phone
EPSON Scan
ERUNT 1.1j
Favorit
GameSpy Arcade
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
iTunes
Java(TM) SE Runtime Environment 6
Jessops Picture Suite
LDC Theory Test 2006
Metacafe
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Halo
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Nokia Flashing Cable Driver
NVIDIA Drivers
PC Connectivity Solution
QuickTime
RealPlayer
Reason 3.0
RoadAngel 2 - UK
RoadAngel II USB Drivers
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Rugby Challenge 2006
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3 USB Driver Installer
Sid Meier's Civilization 4
SigmaTel Audio
Software para Impressoras EPSON
Sonic Activation Module
SpeechRedist
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Unreal Tournament G.O.T.Y. Edition
URL Assistant
User's Guides
Winamp (remove only)
Windows Live Messenger
Windows Live Sign-in Assistant
WinRAR archiver
Xfire (remove only)
Xvid 1.1.2 final uninstall
ZENcast Organizer

pskelley
2009-02-01, 18:33
I spend my week days away from home
Thanks for making me aware, five days without a response would get you closed.

Before you post the log, make sure you read the directions again and disable TeaTimer as instructed.
You may have followed the directions but I can not know that since you posted the same HJT log all three time?

µTorrent, LimeWire <<< all p2p probram must be uninstalled:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

µTorrent <<< uninstall

Adobe Reader 7.0.9 <<< out of date, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) SE Runtime Environment 6
Out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Spybot - Search & Destroy 1.5.2.20 <<< uninstall this old verion.
Please be sure Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html

After you uninstall the p2p programs, post a new HJT log that show TeaTimer is disabled.

Thanks

karmapaymentplan
2009-02-01, 20:48
Everything's been deleted or updated as it should be - I was pretty sure that I had disabled teatimer, but I've enabled and disabled it again just to make sure it's off. If it is still enabled, then I may need more assistance, I disabled it through spybot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:18, on 24/01/2009

pskelley
2009-02-01, 21:53
You did the same thing again? Look at the header on the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:18, on 24/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)

:sad:

karmapaymentplan
2009-02-01, 22:08
I'm sorry, but I'm not entirely sure what you mean by the previous post. Is teatimer still not turned off?

pskelley
2009-02-01, 22:11
I really don't know, all of the HJT logs you are sending me were created a week ago: Scan saved at 17:32:18, on 24/01/2009 <<< look at the date and time.

Look at the top of of all of the logs, they are all the same, and a week old.

Send me a HJT log created today and we may be able to proceed.

karmapaymentplan
2009-02-01, 22:18
Hi, the scans I have been doing are up to date, I don't know why the dates were wrong. I downloaded hijack this again and the problem with the dates appears solved. Sorry about that. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:05, on 01/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\sttray.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CTRegRun] C:\Windows\CTRegRun.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: G G
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9086 bytes

pskelley
2009-02-01, 22:44
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This may start ComboFix again. After reboot I do not need to see a combofix log this time.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O20 - AppInit_DLLs: G G <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

karmapaymentplan
2009-02-02, 01:07
Hello, following is my mbam log and a fresh hijack this file. i will make sure to monitor how the computer is running over the next few days to check if the problem is sorted. Could I request that this post be kept open until the 8th of February as I am now going back to university this week and won't be back until the weekend, thank you.

Malwarebytes' Anti-Malware 1.33
Database version: 1713
Windows 6.0.6001 Service Pack 1

01/02/2009 23:03:15
mbam-log-2009-02-01 (23-03-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172278
Time elapsed: 1 hour(s), 25 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000005-0000-0000-0000-100009000004} (Heuristics.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Mick\AppData\Roaming\REX Shared Library.dll (Trojan.Lop.H) -> Quarantined and deleted successfully.

hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:07:29, on 01/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CTRegRun] C:\Windows\CTRegRun.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8666 bytes

pskelley
2009-02-02, 01:33
Thanks for the comments, we still have work to do. First, this is not concerning malware but I believe your computer would benefit from this information if applied.

http://www.netsquirrel.com/msconfig/msconfig_vista.html
http://windowshelp.microsoft.com/windows/en-us/Help/596FB57F-CC9D-4AC5-A813-5C0830E9156A1033.mspx
Windows Vista System Restore Guide
http://www.bleepingcomputer.com/tutorials/tutorial143.html

Let's see if we can wrap up like this...

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update AVG8 and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
Good AVG information: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

If all is well at this point, let me know and I will close the topic.

(all information may not apply to Vista)
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

pskelley
2009-02-09, 15:51
Could I request that this post be kept open until the 8th of February as I am now going back to university this week and won't be back until the weekend, thank you.
Closed 2/9/2009