eviljonny
2009-03-02, 01:02
rosotuse, rokewezi, hkcmd try to run at startup. Expected system behavior is present; random pop ups and browser windows to "virus cleaning" sites and "regcleaners". Windows Live One care continually has it's auto update disabled. And on and on and on...:sad: I am unsure of the source of the infection, though I have 2 suspects in mind. 1) I tried downloading America's Army from a file sharing site. 2)I downloaded some music files via TPB and uTorrent as the client. I have since uninstalled both.
FYI. I did in fact run HJT, ComboFix, CCleaner, and Adaware Anniversary Edt. to try and clean this up myself. My logs from HJT and ComboFix are below:
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:41, on 2009-03-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.199.2.100:80
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0e50baf4-4c78-49ee-87ec-11d5d46c1136} - C:\WINDOWS\system32\bivayuye.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {f352754d-f8ad-4d6b-8a81-65e70714f9df} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [tawiyoyogu] Rundll32.exe "C:\WINDOWS\system32\rosotuse.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197062871171
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197069504468
O16 - DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} (CoxSelfInstallAx10 Control) - https://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8846 bytes
______________________
ComboFix:
ComboFix 09-03-01.01 - eviljonny 2009-03-01 15:14:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3379.2897 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.
2009-03-01 14:53 . 2009-02-28 21:29 15,688 --a------ C:\WINDOWS\system32\lsdelete.exe
2009-03-01 12:24 . 2009-03-01 12:24 <DIR> d-------- C:\Program Files\CCleaner
2009-03-01 12:07 . 2009-03-01 12:07 <DIR> d-------- C:\Program Files\Trend Micro
2009-03-01 11:37 . 2009-03-01 11:37 95 --a------ C:\WINDOWS\wininit.ini
2009-03-01 10:49 . 2009-03-01 10:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2009-03-01 10:49 . 2009-03-01 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-28 21:30 . 2009-02-28 21:29 64,160 --a------ C:\WINDOWS\system32\drivers\Lbd.sys
2009-02-28 21:28 . 2009-02-28 21:28 <DIR> d-------- C:\Program Files\Lavasoft
2009-02-28 21:28 . 2009-02-28 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-28 21:28 . 2009-02-28 21:28 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-28 20:25 . 2009-01-09 11:19 1,089,593 -----c--- C:\WINDOWS\system32\dllcache\ntprint.cat
2009-02-28 20:16 . 2009-02-28 20:16 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2009-02-28 20:15 . 2009-02-28 20:15 <DIR> d-------- C:\Program Files\Roxio
2009-02-28 19:46 . 2009-02-28 19:46 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2009-02-28 12:48 . 2009-02-28 12:59 <DIR> d-------- C:\Program Files\America's Army Deploy Client
2009-02-28 12:48 . 2009-02-28 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\America's Army Deploy Client
2009-02-28 12:18 . 2009-02-28 12:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2009-02-28 12:17 . 2009-02-28 12:17 <DIR> d-------- C:\Program Files\Reference Assemblies
2009-02-28 12:17 . 2009-02-28 12:17 <DIR> d-------- C:\5487b557dc906c6d5800f2bd4a
2009-02-28 12:17 . 2008-07-06 04:06 1,676,288 --------- C:\WINDOWS\system32\xpssvcs.dll
2009-02-28 12:17 . 2008-07-06 04:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2009-02-28 12:17 . 2008-07-06 02:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2009-02-28 12:17 . 2008-07-06 04:06 575,488 --------- C:\WINDOWS\system32\xpsshhdr.dll
2009-02-28 12:17 . 2008-07-06 04:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2009-02-28 12:17 . 2008-07-06 04:06 117,760 --------- C:\WINDOWS\system32\prntvpt.dll
2009-02-28 12:17 . 2008-07-06 04:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2009-02-28 12:16 . 2009-02-28 12:37 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2009-02-22 16:09 . 2009-02-22 16:09 <DIR> d-------- C:\Program Files\TechSmith
2009-02-22 16:09 . 2009-02-22 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2009-02-22 16:08 . 2009-02-22 16:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-16 09:31 . 2009-02-16 09:31 <DIR> d-------- C:\Program Files\Domination
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-01 23:17 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2009-03-01 23:17 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2009-03-01 18:35 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2009-03-01 04:13 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2009-03-01 04:13 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2009-03-01 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2009-02-28 23:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2009-02-16 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-02-16 17:17 --------- d-----w C:\Program Files\Google
2009-02-12 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-30 20:26 --------- d-----w C:\Program Files\WebEx
2009-01-17 06:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2009-01-17 06:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio
2009-01-07 06:16 --------- d-----w C:\Program Files\DivX
2007-06-22 02:38 30,280 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 02:38 79,432 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 02:38 71,240 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2007-06-22 02:38 140,872 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 02:39 38,472 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2007-06-22 02:39 46,664 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-06-22 02:39 34,376 ----a-w C:\Program Files\mozilla firefox\plugins\logging.dll
2007-06-22 02:39 685,640 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 02:40 30,280 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
2009-02-16 17:50 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2009-02-16 17:50 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2009-02-16 17:50 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2009-02-16 17:50 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2009-02-16 17:50 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
2008-09-21 15:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 16:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 11:34 69632]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13:33 13574144]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-11-05 13:18 64880]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-10-07 13:33 86016]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-28 21:29 509784]
"nwiz"="nwiz.exe" [2008-10-07 13:33 1630208 C:\WINDOWS\system32\nwiz.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\yeyapoyu.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [2009-02-28 21:30:03 64160]
R1 FD;FD;C:\WINDOWS\system32\drivers\FD.sys [2007-12-07 12:40:11 24179]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 13:34:37 950096]
R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-11-05 13:16:44 25968]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\drivers\chdrvr01.sys [2008-03-23 11:16:46 215104]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\drivers\chdrvr02.sys [2008-03-23 11:16:46 3744]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\drivers\chdrvr03.sys [2008-03-23 11:16:46 9024]
.
Contents of the 'Scheduled Tasks' folder
2009-03-01 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-28 21:29]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0e50baf4-4c78-49ee-87ec-11d5d46c1136} - C:\WINDOWS\system32\bivayuye.dll
BHO-{f352754d-f8ad-4d6b-8a81-65e70714f9df} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-tawiyoyogu - C:\WINDOWS\system32\rosotuse.dll
MSConfigStartUp-CPM0f0705d8 - c:\windows\system32\rokewezi.dll
MSConfigStartUp-tawiyoyogu - C:\WINDOWS\system32\rosotuse.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 10.199.2.100:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} - hxxps://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yooletgh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll
FF - component: C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
__________________
End.
Thank you for any assistance.
FYI. I did in fact run HJT, ComboFix, CCleaner, and Adaware Anniversary Edt. to try and clean this up myself. My logs from HJT and ComboFix are below:
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:41, on 2009-03-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.199.2.100:80
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0e50baf4-4c78-49ee-87ec-11d5d46c1136} - C:\WINDOWS\system32\bivayuye.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {f352754d-f8ad-4d6b-8a81-65e70714f9df} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [tawiyoyogu] Rundll32.exe "C:\WINDOWS\system32\rosotuse.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197062871171
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197069504468
O16 - DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} (CoxSelfInstallAx10 Control) - https://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8846 bytes
______________________
ComboFix:
ComboFix 09-03-01.01 - eviljonny 2009-03-01 15:14:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3379.2897 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.
2009-03-01 14:53 . 2009-02-28 21:29 15,688 --a------ C:\WINDOWS\system32\lsdelete.exe
2009-03-01 12:24 . 2009-03-01 12:24 <DIR> d-------- C:\Program Files\CCleaner
2009-03-01 12:07 . 2009-03-01 12:07 <DIR> d-------- C:\Program Files\Trend Micro
2009-03-01 11:37 . 2009-03-01 11:37 95 --a------ C:\WINDOWS\wininit.ini
2009-03-01 10:49 . 2009-03-01 10:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2009-03-01 10:49 . 2009-03-01 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-28 21:30 . 2009-02-28 21:29 64,160 --a------ C:\WINDOWS\system32\drivers\Lbd.sys
2009-02-28 21:28 . 2009-02-28 21:28 <DIR> d-------- C:\Program Files\Lavasoft
2009-02-28 21:28 . 2009-02-28 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-28 21:28 . 2009-02-28 21:28 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-28 20:25 . 2009-01-09 11:19 1,089,593 -----c--- C:\WINDOWS\system32\dllcache\ntprint.cat
2009-02-28 20:16 . 2009-02-28 20:16 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2009-02-28 20:15 . 2009-02-28 20:15 <DIR> d-------- C:\Program Files\Roxio
2009-02-28 19:46 . 2009-02-28 19:46 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2009-02-28 12:48 . 2009-02-28 12:59 <DIR> d-------- C:\Program Files\America's Army Deploy Client
2009-02-28 12:48 . 2009-02-28 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\America's Army Deploy Client
2009-02-28 12:18 . 2009-02-28 12:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2009-02-28 12:17 . 2009-02-28 12:17 <DIR> d-------- C:\Program Files\Reference Assemblies
2009-02-28 12:17 . 2009-02-28 12:17 <DIR> d-------- C:\5487b557dc906c6d5800f2bd4a
2009-02-28 12:17 . 2008-07-06 04:06 1,676,288 --------- C:\WINDOWS\system32\xpssvcs.dll
2009-02-28 12:17 . 2008-07-06 04:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2009-02-28 12:17 . 2008-07-06 02:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2009-02-28 12:17 . 2008-07-06 04:06 575,488 --------- C:\WINDOWS\system32\xpsshhdr.dll
2009-02-28 12:17 . 2008-07-06 04:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2009-02-28 12:17 . 2008-07-06 04:06 117,760 --------- C:\WINDOWS\system32\prntvpt.dll
2009-02-28 12:17 . 2008-07-06 04:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2009-02-28 12:16 . 2009-02-28 12:37 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2009-02-22 16:09 . 2009-02-22 16:09 <DIR> d-------- C:\Program Files\TechSmith
2009-02-22 16:09 . 2009-02-22 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2009-02-22 16:08 . 2009-02-22 16:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-16 09:31 . 2009-02-16 09:31 <DIR> d-------- C:\Program Files\Domination
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-01 23:17 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2009-03-01 23:17 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2009-03-01 18:35 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2009-03-01 04:13 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2009-03-01 04:13 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2009-03-01 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2009-02-28 23:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2009-02-16 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-02-16 17:17 --------- d-----w C:\Program Files\Google
2009-02-12 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-30 20:26 --------- d-----w C:\Program Files\WebEx
2009-01-17 06:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2009-01-17 06:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio
2009-01-07 06:16 --------- d-----w C:\Program Files\DivX
2007-06-22 02:38 30,280 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 02:38 79,432 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 02:38 71,240 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2007-06-22 02:38 140,872 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 02:39 38,472 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2007-06-22 02:39 46,664 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-06-22 02:39 34,376 ----a-w C:\Program Files\mozilla firefox\plugins\logging.dll
2007-06-22 02:39 685,640 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 02:40 30,280 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
2009-02-16 17:50 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2009-02-16 17:50 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2009-02-16 17:50 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2009-02-16 17:50 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2009-02-16 17:50 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
2008-09-21 15:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 16:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 11:34 69632]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13:33 13574144]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-11-05 13:18 64880]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-10-07 13:33 86016]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-28 21:29 509784]
"nwiz"="nwiz.exe" [2008-10-07 13:33 1630208 C:\WINDOWS\system32\nwiz.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\yeyapoyu.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [2009-02-28 21:30:03 64160]
R1 FD;FD;C:\WINDOWS\system32\drivers\FD.sys [2007-12-07 12:40:11 24179]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 13:34:37 950096]
R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-11-05 13:16:44 25968]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\drivers\chdrvr01.sys [2008-03-23 11:16:46 215104]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\drivers\chdrvr02.sys [2008-03-23 11:16:46 3744]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\drivers\chdrvr03.sys [2008-03-23 11:16:46 9024]
.
Contents of the 'Scheduled Tasks' folder
2009-03-01 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-28 21:29]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0e50baf4-4c78-49ee-87ec-11d5d46c1136} - C:\WINDOWS\system32\bivayuye.dll
BHO-{f352754d-f8ad-4d6b-8a81-65e70714f9df} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-tawiyoyogu - C:\WINDOWS\system32\rosotuse.dll
MSConfigStartUp-CPM0f0705d8 - c:\windows\system32\rokewezi.dll
MSConfigStartUp-tawiyoyogu - C:\WINDOWS\system32\rosotuse.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 10.199.2.100:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} - hxxps://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yooletgh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll
FF - component: C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
__________________
End.
Thank you for any assistance.