# Audio ads playing in background



## sutefaniidesu

Good evening.

Ever since this morning, I've been getting audio ads playing on my computer despite the fact that my browser is closed and that no video is playing at all. I've been worried, since my Windows Live OneCare detected trojans recently... But I deleted them, and now it doesn't detect anything wrong anymore, no viruses, nothing. A few times I opened Task Manager to check if I noticed a process that I didn't recognize, but nothing came on.

Here is my HijackThis log. Please do tell me if you see something suspicious.

Thanks for the help in advance.

_Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:30:47 PM, on 01/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\lg_swupdate\GiljabiStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
C:\Program Files\LG Software\LG Magnifier\MagnifyingGlass.exe
C:\Program Files\LG Software\On Screen Display Setup\HotKey.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\LG Software\LG Magnifier\Maglev.exe
C:\Users\Steph\AppData\Roaming\SystemProc\lsass.exe
C:\Users\Steph\.COMMgr\complmgr.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\Gadgets\LGSmartI.Gadget\plugins\LGSmartI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Steph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Steph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Users\Steph\AppData\Local\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.umontreal.ca:443/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BatteryMiser 5] C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
O4 - HKLM\..\Run: [LG Magnifier] %ProgramFiles%\LG Software\LG Magnifier\MagnifyingGlass.exe
O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display Setup\HotKey.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Steph\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [RTHDBPL] C:\Users\Steph\AppData\Roaming\SystemProc\lsass.exe
O4 - HKCU\..\Run: [COM+ Manager] "C:\Users\Steph\.COMMgr\complmgr.exe"
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\PROGRA~1\Druide\Antidote\Internet Explorer\7\Antidote K - IE 7.htm (HKCU)
O9 - Extra button: Dictionnaires - {F9B969E8-58D0-4dd9-AC8A-EE2336FF8F65} - C:\PROGRA~1\Druide\Antidote\Internet Explorer\7\Antidote D - IE 7.htm (HKCU)
O9 - Extra button: Guides - {FA089E36-3F1B-4c51-9A1A-C4E7012483AF} - C:\PROGRA~1\Druide\Antidote\Internet Explorer\7\Antidote G - IE 7.htm (HKCU)
O13 - Gopher Prefix: 
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

--
End of file - 10168 bytes
_


----------



## KieranJA

_ C:\Users\Steph\.COMMgr\complmgr.exe- Thats malware.
_


----------



## sutefaniidesu

Hello,

To be honest, my anti-virus eventually found it and got rid of it, but thank you for telling me anyway. At least I'll know that is malware if I ever come across it again... and if I ever run into another one of those problems, I'll be sure to come back here.

Thank you very much!


----------



## KieranJA

Change all your passwords and you bank information.


----------



## sutefaniidesu

Are you serious...? o____O;;


----------



## Phantom010

Your computer is infected. Please click on the *Report* button and kindly ask to be moved to the *Malware Removal* forum. From there, be patient. You should get an answer within the next 48 hours. These guys are really busy!


----------



## sutefaniidesu

Alright, thank you. Will do so.


----------



## dvk01

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *


----------



## sutefaniidesu

I disabled the virus and spyware monitoring, as well as the firewall for my Windows Live Onecare program, but ComboFix tells me that the anti-virus and anti-spyware are still active...


----------



## sutefaniidesu

Please ignore my earlier post. At first I tried it anyways and my computer crashed, but then I tried it again and it worked. Here is the report:
ComboFix 10-01-15.01 - Steph 15/01/2010 12:50:56.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2813.1628 [GMT -5:00]
Running from: c:\users\Steph\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3449998019-1486495301-68433349-500
C:\install.exe
c:\users\Steph\AppData\Roaming\SystemProc

.
((((((((((((((((((((((((( Files Created from 2009-12-15 to 2010-01-15 )))))))))))))))))))))))))))))))
.

2010-01-15 17:58 . 2010-01-15 17:58	--------	d-----w-	c:\users\TEMP\AppData\Local\temp
2010-01-14 00:02 . 2010-01-14 00:02	--------	d-----w-	c:\program files\Druide
2010-01-13 23:56 . 2010-01-13 23:56	8677824	----a-w-	c:\users\Steph\AppData\Roaming\Azureus\tmp\AZU6473.tmp\Vuze_4.3.0.6b_win32.exe
2010-01-13 14:30 . 2009-10-19 13:38	156672	----a-w-	c:\windows\system32\t2embed.dll
2010-01-13 14:30 . 2009-10-19 13:35	72704	----a-w-	c:\windows\system32\fontsub.dll
2010-01-09 19:57 . 2010-01-09 19:57	--------	d-----w-	c:\programdata\WindowsSearch
2010-01-01 21:59 . 2010-01-01 21:59	388096	----a-r-	c:\users\Steph\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-01 21:59 . 2010-01-01 21:59	--------	d-----w-	c:\program files\TrendMicro
2009-12-31 23:08 . 2009-12-31 23:08	--------	d-sh--w-	c:\users\Steph\.COMMgr
2009-12-24 22:17 . 2009-12-24 22:17	--------	d-----w-	c:\programdata\VideoMach
2009-12-24 22:17 . 2009-12-24 22:17	--------	d-----w-	c:\program files\VideoMach

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 17:45 . 2009-10-16 04:41	--------	d-----w-	c:\users\Steph\AppData\Roaming\Skype
2010-01-15 17:42 . 2008-06-24 00:52	12	----a-w-	c:\windows\bthservsdp.dat
2010-01-15 16:35 . 2009-09-22 04:32	--------	d-----w-	c:\users\Steph\AppData\Roaming\EndNote
2010-01-15 12:57 . 2008-09-07 18:59	--------	d-----w-	c:\program files\Microsoft Windows OneCare Live
2010-01-14 05:09 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-01-14 03:50 . 2008-06-24 08:05	--------	d-----w-	c:\users\Steph\AppData\Roaming\Azureus
2010-01-14 00:00 . 2008-12-24 05:26	1	----a-w-	c:\users\Steph\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-07 22:51 . 2008-06-27 22:54	680	----a-w-	c:\users\Steph\AppData\Local\d3d9caps.dat
2010-01-02 00:48 . 2010-01-02 00:48	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-28 21:07 . 2008-06-24 07:48	--------	d-----w-	c:\program files\Vuze
2009-11-28 04:36 . 2009-11-28 03:00	--------	d-----w-	c:\program files\CCAD
2009-11-28 02:59 . 2009-09-13 14:31	--------	d-----w-	c:\program files\Safari
2009-11-28 02:57 . 2009-11-28 02:57	79144	----a-w-	c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-26 18:06 . 2009-01-07 20:53	--------	d-----w-	c:\users\Steph\AppData\Roaming\DAEMON Tools Lite
2009-11-26 17:57 . 2009-11-26 17:55	--------	d-----w-	c:\program files\DAEMON Tools Lite
2009-11-26 17:57 . 2009-01-07 20:58	--------	d-----w-	c:\program files\DAEMON Tools Toolbar
2009-11-26 17:56 . 2009-01-07 20:54	691696	----a-w-	c:\windows\system32\drivers\sptd.sys
2009-11-26 17:55 . 2009-01-07 20:59	--------	d-----w-	c:\programdata\DAEMON Tools Lite
2009-11-24 15:39 . 2009-11-24 15:39	1093064	----a-w-	c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\extensions\[email protected]\components\DTToolbarFF.dll
2009-11-24 00:16 . 2009-01-07 17:41	--------	d-----w-	c:\users\Steph\AppData\Roaming\skypePM
2009-11-21 06:40 . 2009-12-09 20:23	916480	----a-w-	c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 20:23	109056	----a-w-	c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 20:23	71680	----a-w-	c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 20:23	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2009-11-17 18:07 . 2009-11-17 18:07	--------	d-----w-	c:\program files\Windows Portable Devices
2009-11-17 18:06 . 2006-11-02 10:25	665600	----a-w-	c:\windows\inf\drvindex.dat
2009-11-17 18:06 . 2009-11-17 18:06	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-09 12:31 . 2009-12-10 05:05	24064	----a-w-	c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 05:05	30720	----a-w-	c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 05:05	411648	----a-w-	c:\windows\system32\drivers\http.sys
2009-11-06 06:17 . 2009-11-06 06:17	79144	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-26 05:02	2048	----a-w-	c:\windows\system32\tzres.dll
2009-10-23 14:49 . 2009-10-23 14:49	0	----a-w-	c:\windows\nsreg.dat
2009-10-23 14:44 . 2009-09-10 16:22	83416	----a-w-	c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-03 15:36 . 2008-06-27 22:47	24	----a-w-	c:\program files\Sims2Pack Clean Installer.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Google Update"="c:\users\Steph\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-09-12 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"COM+ Manager"="c:\users\Steph\.COMMgr\complmgr.exe" [2010-01-01 369152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"LG Intelligent Update"="c:\program files\lg_swupdate\giljabistart.exe" [2008-01-07 247088]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 4702208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-29 894248]
"BatteryMiser 5"="c:\program files\LG Software\BatteryMiser\BatteryMiser5.exe" [2007-11-19 693552]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2007-08-31 140592]
"KeybdUtility"="c:\program files\LG Software\On Screen Display Setup\HotKey.exe" [2007-11-06 2872624]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-07 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"agentantidote.exe"="c:\program files\Druide\Antidote 7\Programmes32\agentantidote.exe" [2009-10-18 600256]

c:\users\Steph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-8-4 42168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-15 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2006-12-11 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):89,60,f1,38,a0,f9,c9,01

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [09/07/2009 11:15 AM 26104]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr28.sys [23/06/2008 8:19 PM 327168]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [07/01/2009 3:54 PM 691696]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [30/06/2008 5:00 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation	REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1681082960-2925324811-1939343358-1000Core.job
- c:\users\Steph\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-12 04:06]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1681082960-2925324811-1939343358-1000UA.job
- c:\users\Steph\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-12 04:06]

2010-01-14 c:\windows\Tasks\User_Feed_Synchronization-{DE226805-A131-411E-AE13-5472109594AF}.job
- c:\windows\system32\msfeedssync.exe [2009-12-09 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.umontreal.ca/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\extensions\[email protected]\components\DTToolbarFF.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Steph\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-15 12:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
COM+ Manager = "c:\users\Steph\.COMMgr\complmgr.exe"?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-15 13:01:39
ComboFix-quarantined-files.txt 2010-01-15 18:01

Pre-Run: 134,780,862,464 bytes free
Post-Run: 135,682,080,768 bytes free

- - End Of File - - 887190EF94579910623C13D8506E3382


----------



## dvk01

please don't use italics when posting logs, it makes them very hard to read

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## sutefaniidesu

Sorry, I actually thought it would help the reading. My bad.

ComboFix 10-01-15.01 - Steph 15/01/2010 15:30:55.2.2 - x86
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.2.1033.18.2813.1448 [GMT -5:00]
Running from: c:\users\Steph\Desktop\ComboFix.exe
Command switches used :: c:\users\Steph\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}

file zipped: c:\users\Steph\.COMMgr\complmgr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Steph\.COMMgr
c:\users\Steph\.COMMgr\complmgr.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-15 to 2010-01-15 )))))))))))))))))))))))))))))))
.

2010-01-15 20:36 . 2010-01-15 20:36	--------	d-----w-	c:\users\TEMP\AppData\Local\temp
2010-01-15 20:36 . 2010-01-15 20:36	--------	d-----w-	c:\users\Public\AppData\Local\temp
2010-01-15 20:36 . 2010-01-15 20:36	--------	d-----w-	c:\users\Mcx1\AppData\Local\temp
2010-01-15 20:36 . 2010-01-15 20:36	--------	d-----w-	c:\users\Guest\AppData\Local\temp
2010-01-15 20:36 . 2010-01-15 20:36	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-01-15 20:36 . 2010-01-15 20:36	--------	d-----w-	c:\users\Administrator\AppData\Local\temp
2010-01-14 00:02 . 2010-01-14 00:02	--------	d-----w-	c:\program files\Druide
2010-01-13 23:56 . 2010-01-13 23:56	8677824	----a-w-	c:\users\Steph\AppData\Roaming\Azureus\tmp\AZU6473.tmp\Vuze_4.3.0.6b_win32.exe
2010-01-13 14:30 . 2009-10-19 13:38	156672	----a-w-	c:\windows\system32\t2embed.dll
2010-01-13 14:30 . 2009-10-19 13:35	72704	----a-w-	c:\windows\system32\fontsub.dll
2010-01-09 19:57 . 2010-01-09 19:57	--------	d-----w-	c:\programdata\WindowsSearch
2010-01-01 21:59 . 2010-01-01 21:59	388096	----a-r-	c:\users\Steph\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-01 21:59 . 2010-01-01 21:59	--------	d-----w-	c:\program files\TrendMicro
2009-12-24 22:17 . 2009-12-24 22:17	--------	d-----w-	c:\programdata\VideoMach
2009-12-24 22:17 . 2009-12-24 22:17	--------	d-----w-	c:\program files\VideoMach

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 20:19 . 2009-09-22 04:32	--------	d-----w-	c:\users\Steph\AppData\Roaming\EndNote
2010-01-15 17:45 . 2009-10-16 04:41	--------	d-----w-	c:\users\Steph\AppData\Roaming\Skype
2010-01-15 17:42 . 2008-06-24 00:52	12	----a-w-	c:\windows\bthservsdp.dat
2010-01-15 12:57 . 2008-09-07 18:59	--------	d-----w-	c:\program files\Microsoft Windows OneCare Live
2010-01-14 05:09 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-01-14 03:50 . 2008-06-24 08:05	--------	d-----w-	c:\users\Steph\AppData\Roaming\Azureus
2010-01-14 00:00 . 2008-12-24 05:26	1	----a-w-	c:\users\Steph\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-07 22:51 . 2008-06-27 22:54	680	----a-w-	c:\users\Steph\AppData\Local\d3d9caps.dat
2010-01-02 00:48 . 2010-01-02 00:48	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-28 21:07 . 2008-06-24 07:48	--------	d-----w-	c:\program files\Vuze
2009-11-28 04:36 . 2009-11-28 03:00	--------	d-----w-	c:\program files\CCAD
2009-11-28 02:59 . 2009-09-13 14:31	--------	d-----w-	c:\program files\Safari
2009-11-28 02:57 . 2009-11-28 02:57	79144	----a-w-	c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-26 18:06 . 2009-01-07 20:53	--------	d-----w-	c:\users\Steph\AppData\Roaming\DAEMON Tools Lite
2009-11-26 17:57 . 2009-11-26 17:55	--------	d-----w-	c:\program files\DAEMON Tools Lite
2009-11-26 17:57 . 2009-01-07 20:58	--------	d-----w-	c:\program files\DAEMON Tools Toolbar
2009-11-26 17:56 . 2009-01-07 20:54	691696	----a-w-	c:\windows\system32\drivers\sptd.sys
2009-11-26 17:55 . 2009-01-07 20:59	--------	d-----w-	c:\programdata\DAEMON Tools Lite
2009-11-24 15:39 . 2009-11-24 15:39	1093064	----a-w-	c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\extensions\[email protected]\components\DTToolbarFF.dll
2009-11-24 00:16 . 2009-01-07 17:41	--------	d-----w-	c:\users\Steph\AppData\Roaming\skypePM
2009-11-21 06:40 . 2009-12-09 20:23	916480	----a-w-	c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 20:23	109056	----a-w-	c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 20:23	71680	----a-w-	c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 20:23	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2009-11-17 18:07 . 2009-11-17 18:07	--------	d-----w-	c:\program files\Windows Portable Devices
2009-11-17 18:06 . 2006-11-02 10:25	665600	----a-w-	c:\windows\inf\drvindex.dat
2009-11-17 18:06 . 2009-11-17 18:06	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-09 12:31 . 2009-12-10 05:05	24064	----a-w-	c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 05:05	30720	----a-w-	c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 05:05	411648	----a-w-	c:\windows\system32\drivers\http.sys
2009-11-06 06:17 . 2009-11-06 06:17	79144	----a-w-	c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-26 05:02	2048	----a-w-	c:\windows\system32\tzres.dll
2009-10-23 14:49 . 2009-10-23 14:49	0	----a-w-	c:\windows\nsreg.dat
2009-10-23 14:44 . 2009-09-10 16:22	83416	----a-w-	c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-03 15:36 . 2008-06-27 22:47	24	----a-w-	c:\program files\Sims2Pack Clean Installer.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Google Update"="c:\users\Steph\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-09-12 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"LG Intelligent Update"="c:\program files\lg_swupdate\giljabistart.exe" [2008-01-07 247088]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 4702208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-29 894248]
"BatteryMiser 5"="c:\program files\LG Software\BatteryMiser\BatteryMiser5.exe" [2007-11-19 693552]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2007-08-31 140592]
"KeybdUtility"="c:\program files\LG Software\On Screen Display Setup\HotKey.exe" [2007-11-06 2872624]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-07 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"agentantidote.exe"="c:\program files\Druide\Antidote 7\Programmes32\agentantidote.exe" [2009-10-18 600256]

c:\users\Steph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-8-4 42168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-15 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2006-12-11 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):89,60,f1,38,a0,f9,c9,01

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [09/07/2009 11:15 AM 26104]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr28.sys [23/06/2008 8:19 PM 327168]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [07/01/2009 3:54 PM 691696]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [30/06/2008 5:00 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation	REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1681082960-2925324811-1939343358-1000Core.job
- c:\users\Steph\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-12 04:06]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1681082960-2925324811-1939343358-1000UA.job
- c:\users\Steph\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-12 04:06]

2010-01-15 c:\windows\Tasks\User_Feed_Synchronization-{DE226805-A131-411E-AE13-5472109594AF}.job
- c:\windows\system32\msfeedssync.exe [2009-12-09 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.umontreal.ca/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\m4l7gjio.default\extensions\[email protected]\components\DTToolbarFF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-15 15:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-15 15:39:30
ComboFix-quarantined-files.txt 2010-01-15 20:39
ComboFix2.txt 2010-01-15 18:01

Pre-Run: 135,703,027,712 bytes free
Post-Run: 135,663,054,848 bytes free

- - End Of File - - 377046BC8545FF106E358B1945E9A0C3
Upload was successful

I'm going to upload the file on spykiller, because it did ask me to send (and said that it worked), but no browser window opened whatsoever...


----------



## dvk01

It's OK it did send it & I have got the file & am analysing it fully

How is it now

have all the problems stopped

You might have to reset your windows theme as it looks like this malware changes the theme but that is something you need to do manually


----------



## sutefaniidesu

Well, I hadn't had any problems in a while, they tended to come and go, but... Since it did find the file Kieran mentionned and deleted it (I think I read that somewhere in the log?), I guess the problem must have been solved. My Windows theme wasn't changed, though...

At any rate, thank you so very much!


----------



## dvk01

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## sutefaniidesu

Alright, then I'll do that. Thank you so much once again.


----------

