# Trojan.Vundo.H - Need Help Removing



## topspinwu (Oct 23, 2008)

I picked up a nasty trojan infection while browsing the web: Malwarebytes' Anti-Malware scan identified it as Trojan.Vundo.H. I found several infected DLLs in the system32 folder which I deleted as well as bad startup items, but they all come back either immediately or after a reboot or two. I have a feeling getting rid of them permanently will require me to do some work while suspending the explorer.exe and winlogon services.

Below is my hijack this log. I've highlighted the things that look suspicious to me - these are also the things that keep comming back even after deletion. Any help on the matter would be appreciated! Thank you.
----------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:36 PM, on 12/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7e5d7f7f-71bc-4dcc-a988-b3146cfd43f9} - C:\Windows\system32\jeniguju.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bofunemija] Rundll32.exe "C:\Windows\system32\kesezila.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bofunemija] Rundll32.exe "C:\Windows\system32\kesezila.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix: 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\mufojale.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c93b09b07c4a9f) (gupdate1c93b09b07c4a9f) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vfsFPService.exe

--
End of file - 11005 bytes


----------



## topspinwu (Oct 23, 2008)

can someone help me with this please?


----------



## jmw3 (Jul 23, 2007)

Welcome topspinwu

I will be helping you under the guidance of one of our expert coaches.
Please give me a little time to get back to you with instructions.

*In the meantime please note the following:*

Any recommendations made are for your computer problems only and should *NOT* be used on any other computer.
Please *DO NOT* run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them: 
1. The tools that we use are very powerful and can cause *>>irreparable damage<<* to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
A lack of symptoms does not necessarily mean your computer is clean.
*Continue to respond to this thread until I give you the All Clean!*
*Please Note*: My instructions to you are checked by an expert prior to posting. This may cause a small delay between posts.
Thanks

I'd also like to see a list of installed programs so please do this:
*Create an Uninstall List *

Start HijackThis 
Click on the *Config* button 
Click on the *Misc Tools* button 
Click on the *Open Uninstall Manager* button 
Click on the *Save list*... button and specify where you would like to save this file 
When you press the *Save* button a notepad will open with the contents of that file 
Copy and paste the contents of that notepad here in your next reply
I'd also like to see your last log from Malwarebytes' Anti-Malware. Open MBAM, click the *Logs* tab then copy & paste the contents of the log from your last scan.


----------



## topspinwu (Oct 23, 2008)

Here is the uninstall list from hijack this:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
7-Zip 4.60 beta
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AGEIA PhysX v7.09.13
AIM 6
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Auto Gordian Knot 2.45
avast! Antivirus
AviSynth 2.5
BitComet 1.06
BlackBerry Desktop Software 4.2
BlackBerry Desktop Software 4.2
Bonjour
CCleaner (remove only)
CDisplay 1.8
CrossLoop 2.20
CyberLink YouCam
CyberLink YouCam
DigitalPersona Personal 3.0.1
DVD Decrypter (Remove Only)
Gears of War
[email protected]eUtilities 3.2
Google Gears
Google Update
Goombah Partner COM Server
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP Customer Participation Program 8.0
HP Deskjet Printer Driver Software. 8.0.B
HP Doc Viewer
HP Help and Support
HP Imaging Device Functions 8.0
HP Integrated Module with Bluetooth wireless technology 6.0.1.6200
HP Photosmart Essential
HP Quick Launch Buttons 6.40 H2
HP QuickPlay 3.7
HP QuickTouch 1.00 D2
HP Smart Web Printing
HP Solution Center 8.0
HP Total Care Advisor
HP Update
HP USB Smart Card Keyboard
HP User Guides 0102
HP Wireless Assistant
HPNetworkAssistant
HPSSupply
HPTCSSetup
IDT Audio
Intel® Matrix Storage Manager
iriver plus 3 (remove only)
iTunes
Java(TM) 6 Update 10
JMicron JMB38X Flash Media Controller
Junction Link Magic 1.0
LimeWire PRO 4.18.3
Malwarebytes' Anti-Malware
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.0.4)
Mp3tag v2.41
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nero 8
neroxml
NVIDIA Drivers
PDF Settings
PowerISO
ProtectSmart Hard Drive Protection
PSP Video Express(remove only)
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Registry Mechanic
Ruckus Player
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Skype 3.8
Startup Manager 2.4.2
Steam
Synaptics Pointing Device Driver
System Requirements Lab
TI Connect 1.6
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Validity Sensors software
VCRedistSetup
Video mp3 Extractor
vixy converter uninstall
VLC media player 0.9.2
VobSub v2.23 (Remove Only)
Windows Installer Clean Up
XviD MPEG4 Video Codec (remove only)



And here is the Malwarebytes' log file: 

Malwarebytes' Anti-Malware 1.30
Database version: 1430
Windows 6.0.6001 Service Pack 1

12/3/2008 2:07:35 PM
mbam-log-2008-12-03 (14-07-35).txt

Scan type: Quick Scan
Objects scanned: 48481
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\kafawagi.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5aa5662c (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bofunemija (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\kafawagi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\kafawagi.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\kafawagi.dll (Trojan.BHO) -> Delete on reboot.


Thanks


----------



## jmw3 (Jul 23, 2007)

Thanks topspinwu

I'll get back to you soon.


----------



## jmw3 (Jul 23, 2007)

Apologies for the delay. I'll get back to you as soon as I can.


----------



## jmw3 (Jul 23, 2007)

*P2P Warning!*
*IMPORTANT* I notice there are signs of one or more *P2P (Person to Person) File Sharing Programs* on your computer.

*BitComet 1.06 | LimeWire PRO 4.18.3*

Please note that as long as you are using any form of *Peer-to-Peer networking* and *downloading files* from non-documented sources, you can expect infestations of malware to occur. 
P2P file sharing used to be fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation.
I'd like you to read the *Guidelines for P2P Programs* where we explain why it's not a good idea to have them.
References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs *here*

Go to *Control Panel > Add/Remove Programs* and uninstall the programs listed above (in red).

*Combofix*
Download *ComboFix* from one of these locations:
*Link 1*
*Link 2*
*Link 3*

***IMPORTANT !!! Save ComboFix.exe to your Desktop***


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
*A guide to do this can be found here*
The ones that need to be closed/disabled are:
*Avast4*
Double click on ComboFix.exe & follow the prompts
Click *No* if prompted to install the Recovery Console as it is applicable to Microsoft XP only
When finished, it shall produce a log for you. Please include the contents of *C:\ComboFix.txt* in your next reply *along with a new HijackThis log*
.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix *SHOULD NOT* be used unless requested by a forum helper


----------



## topspinwu (Oct 23, 2008)

Here are the results from combofix, followed by another hijackthis log

ComboFix 08-12-06.03 - Twu 2008-12-06 13:17:48.1 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.1800 [GMT -8:00]
Running from: c:\users\Twu\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\amukusog.ini
c:\windows\system32\mufojale.dll
c:\windows\system32\rapepute.dll
c:\windows\system32\repozuyi.dll
c:\windows\system32\tinonere.dll
c:\windows\system32\yejenujo.dll
c:\windows\system32\yiriyidi.dll
c:\windows\system32\zufajudi.dll
c:\windows\system32\zugeyale.dll
c:\windows\Tasks\xycrckvq.job
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-11-30 16:49 . 2008-11-30 16:49 d-------- C:\VundoFix Backups
2008-11-30 11:39 . 2008-11-30 11:40 d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 11:39 . 2008-11-30 11:40 d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 11:39 . 2008-11-30 11:40 d-------- c:\program files\iTunes
2008-11-30 11:39 . 2008-11-30 11:39 d-------- c:\program files\iPod
2008-11-30 11:38 . 2008-11-30 11:39 d-------- c:\program files\QuickTime
2008-11-30 11:34 . 2008-11-30 11:34 410,976 --a------ c:\windows\System32\deploytk.dll
2008-11-30 01:31 . 2008-11-30 01:31 d-------- c:\users\Twu\AppData\Roaming\Microsoft Games
2008-11-29 21:00 . 2008-11-29 21:00 d-------- c:\program files\Common Files\Microsoft Games
2008-11-29 21:00 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\System32\d3dx9_35.dll
2008-11-29 21:00 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\System32\d3dx9_33.dll
2008-11-29 21:00 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\System32\D3DCompiler_35.dll
2008-11-29 21:00 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\System32\D3DCompiler_33.dll
2008-11-29 21:00 . 2007-07-19 18:14 444,776 --a------ c:\windows\System32\d3dx10_35.dll
2008-11-29 21:00 . 2007-03-15 16:57 443,752 --a------ c:\windows\System32\d3dx10_33.dll
2008-11-29 21:00 . 2006-09-28 16:05 237,848 --a------ c:\windows\System32\xactengine2_4.dll
2008-11-29 21:00 . 2007-04-04 18:53 81,768 --a------ c:\windows\System32\xinput1_3.dll
2008-11-28 11:03 . 2008-11-28 11:03 d-------- c:\users\Twu\AppData\Roaming\CyberLink
2008-11-28 00:27 . 2008-11-28 00:27 d-------- c:\users\All Users\WindowsSearch
2008-11-28 00:27 . 2008-11-28 00:27 d-------- c:\programdata\WindowsSearch
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\users\Twu\AppData\Roaming\Malwarebytes
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\users\All Users\Malwarebytes
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\programdata\Malwarebytes
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 22:18 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-27 22:18 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-27 18:38 . 2008-12-01 16:25 d-a------ c:\users\All Users\TEMP
2008-11-27 18:38 . 2008-12-01 16:25 d-a------ c:\programdata\TEMP
2008-11-27 18:38 . 2008-12-01 16:25 d-------- c:\program files\Spyware Doctor
2008-11-27 18:26 . 2008-11-27 18:37 d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-27 18:26 . 2008-11-27 18:37 d-------- c:\programdata\Spybot - Search & Destroy
2008-11-27 18:26 . 2008-11-27 18:37 d-------- c:\program files\Spybot - Search & Destroy
2008-11-27 18:18 . 2008-11-27 18:18 d-------- c:\program files\Trend Micro
2008-11-27 17:13 . 2008-11-27 17:13 d-------- c:\program files\[email protected]
2008-11-27 17:13 . 2008-11-27 17:13 d-------- c:\program files\Common Files\Gibinsoft Shared
2008-11-27 17:07 . 2008-11-27 17:07 d-------- c:\users\All Users\Startup Manager
2008-11-27 17:07 . 2008-11-27 17:07 d-------- c:\programdata\Startup Manager
2008-11-27 17:07 . 2008-12-02 18:15 d-------- c:\program files\Startup Manager
2008-11-27 16:55 . 2008-11-27 16:55 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2008-11-27 15:43 . 2008-11-27 18:37 d-------- c:\users\All Users\Lavasoft
2008-11-27 15:43 . 2008-11-27 18:37 d-------- c:\programdata\Lavasoft
2008-11-25 19:47 . 2008-10-21 19:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 19:46 . 2008-10-20 21:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 19:46 . 2008-08-27 19:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 19:46 . 2008-08-27 19:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 19:46 . 2008-08-27 19:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-20 21:15 . 2008-11-20 21:15 d-------- c:\users\Twu\AppData\Roaming\Nero
2008-11-20 20:20 . 2008-11-25 01:09 d-------- c:\users\Twu\AppData\Roaming\goombah
2008-11-20 19:55 . 2008-12-04 22:08 d-------- c:\users\Twu\AppData\Roaming\Ruckus Network
2008-11-20 19:20 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-20 19:20 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-20 19:20 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-20 19:20 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-20 19:19 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-20 19:19 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-20 19:19 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-20 19:19 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-20 19:19 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-19 20:16 . 2008-11-26 02:02 d-------- c:\users\Twu\AppData\Roaming\LimeWire
2008-11-19 00:22 . 2008-11-19 00:22 0 --a------ c:\windows\nsreg.dat
2008-11-19 00:18 . 2008-11-19 00:18 d-------- c:\users\Twu\Other
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Blackberry Desktop
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Bioshock
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Apple Computer
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Ahead
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\acccore
2008-11-18 23:51 . 2008-11-18 23:51 d-------- c:\users\Twu\My Games
2008-11-18 23:50 . 2008-11-18 23:50 d-------- c:\users\Twu\Downloaded Installations
2008-11-18 23:50 . 2008-11-18 23:50 d-------- c:\users\Twu\ChessBase
2008-11-18 23:50 . 2008-11-18 23:50 d-------- c:\users\Twu\Bioshock
2008-11-18 23:47 . 2008-11-18 23:47 dr------- c:\users\Twu\Searches
2008-11-18 23:47 . 2008-11-18 23:47 dr------- c:\users\Twu\Contacts
2008-11-18 23:47 . 2008-11-18 23:47 d-------- c:\users\Twu\Bluetooth Software
2008-11-18 23:47 . 2008-11-18 23:47 d-------- c:\users\Twu\AppData\Roaming\Macrovision
2008-11-18 23:47 . 2008-11-18 23:47 d-------- c:\users\Twu\AppData\Roaming\DigitalPersona
2008-11-18 23:46 . 2008-11-24 22:19 dr------- c:\users\Twu\Videos
2008-11-18 23:46 . 2008-11-19 00:13 dr------- c:\users\Twu\Saved Games
2008-11-18 23:46 . 2008-11-19 00:13 dr------- c:\users\Twu\Pictures
2008-11-18 23:46 . 2008-11-19 00:13 dr------- c:\users\Twu\Music
2008-11-18 23:46 . 2008-11-18 23:47 dr------- c:\users\Twu\Links
2008-11-18 23:46 . 2008-12-06 12:58 dr------- c:\users\Twu\Downloads
2008-11-18 23:46 . 2008-11-27 15:36 dr------- c:\users\Twu\Documents
2008-11-18 23:46 . 2006-11-02 04:37 d-------- c:\users\Twu\AppData\Roaming\Media Center Programs
2008-11-18 23:46 . 2008-11-18 23:47 d--h----- c:\users\Twu\AppData
2008-11-18 23:46 . 2008-11-29 15:54 d-------- c:\users\Twu
2008-11-13 23:21 . 2008-11-13 23:21 d-------- C:\cbdata
2008-11-13 23:21 . 2008-11-13 23:21 132 --a------ c:\windows\ChssBase.ini
2008-11-12 14:02 . 2008-09-09 19:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-12 14:02 . 2008-09-04 21:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-12 14:02 . 2008-08-26 17:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 21:22 168,333 ----a-w c:\users\All Users\nvModes.dat
2008-12-06 21:22 168,333 ----a-w c:\programdata\nvModes.dat
2008-12-06 02:30 --------- d-----w c:\program files\Common Files\Steam
2008-11-30 19:39 --------- d-----w c:\program files\Common Files\Apple
2008-11-30 19:34 --------- d-----w c:\program files\Java
2008-11-30 18:49 --------- d-----w c:\program files\Google
2008-11-30 05:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 04:10 --------- d-----w c:\program files\Microsoft Games
2008-11-28 02:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-17 01:06 --------- d-----w c:\program files\BitComet
2008-11-17 00:57 --------- d-----w c:\programdata\Microsoft Help
2008-11-16 08:18 --------- d-----w c:\programdata\FLEXnet
2008-11-13 05:26 --------- d-----w c:\program files\Common Files\Adobe
2008-11-08 03:03 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-11-05 01:28 --------- d-----w c:\programdata\Hewlett-Packard
2008-11-05 01:12 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-10-23 04:18 --------- d-----w c:\program files\Stardock
2008-10-23 04:18 --------- d-----w c:\program files\Common Files\Stardock
2008-10-23 04:01 --------- d-----w c:\program files\Rekenwonder Software
2008-10-23 00:21 21,248 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2008-10-22 04:13 --------- d-----w c:\program files\vixy.net
2008-10-22 01:41 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-17 08:56 --------- d-----w c:\programdata\MakeMusic
2008-10-17 08:36 --------- d-----w c:\program files\TI Education
2008-10-17 08:36 --------- d-----w c:\program files\Common Files\TI Shared
2008-10-16 01:16 --------- d-----w c:\program files\Windows Mail
2008-10-11 00:44 --------- d-----w c:\program files\Common Files\SupportSoft
2008-10-11 00:07 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-06 19:51 20,224 ----a-w c:\windows\Help\OEM\scripts\HC_checkMUI.dll
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-07 05:50 43,698 ----a-w c:\windows\System32\xvid-uninstall.exe
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-27 442467]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-23 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-01 554288]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-03-12 699456]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\users\Twu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-10-22 3450608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-01-16 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Twu^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
--a------ 2008-04-15 12:42 70912 c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 20:52 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2008-04-15 16:54 178712 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 18:10 1688872 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-07-12 11:43 226904 c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 13:21 2213160 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 13:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-06-16 00:52 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-12-24 14:55 222504 c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LayoutM]
--a------ 2004-08-26 13:17 45056 c:\windows\KLayMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{38A8A3CB-194D-4642-9241-65746DC00FCD}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{231C7D6C-BDAC-4CF0-8543-9D7F8F2E3F75}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{3B380C9C-C4F6-4EE0-A9F9-A6DABD1E775A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{945849F3-B3CB-403D-853B-C61874FF3EDC}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ACE11C2A-E253-4372-AE27-63B2DF422086}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7553F324-2FB0-4CF9-8243-166B4F7576C6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{21402BD9-5763-4EB1-B755-A81F3AE9E605}"= UDP:c:\games\UT3\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"{8BBE06CB-5714-4DC8-9FBF-DC3BEC191036}"= TCP:c:\games\UT3\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"TCP Query User{D6327645-53A5-4266-9786-6D75631CCAD1}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{060AC97A-4508-4836-A54A-ECBB8DDD268C}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{B68FC378-6387-47FA-8771-9CF278F0827C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{ECB04915-6BF3-4C21-A550-0170A8EBD2E4}"= UDP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{6DCFA35F-B7EE-4E1F-B580-431FC9EDCA4D}"= TCP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"TCP Query User{AC84D7AA-2C6E-47ED-937A-74A77F8A83B7}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{22E0AB52-CB54-4259-B841-047E9F9CF435}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{98F1B6C6-6A07-4A4C-B06C-22AA818F91E1}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{136C8ED4-42A0-49E4-B185-015C197B7F89}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{4923301F-501E-4E67-A124-E754A71F035F}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{71AA5B66-0746-44FF-BBED-4A498DB5BCE9}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{8E75D3C7-E444-4AD0-9F02-E027EA497F4C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ADD27F9B-C088-46CE-9F43-6E5BBC2ECDAD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{17F5D4F4-69DE-4012-A1AB-2E3A5A720C7B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{414E9097-894B-42F2-B39E-F7AA6ABBAD88}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{F56D7DFC-CB76-47A5-973E-980298B89CC8}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{EAD1F5D3-1479-411E-A24D-76984F9A4631}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"{1E7565FA-772A-46EC-8EB8-C63B6CABB73C}"= UDP:12741:BitComet 12741 TCP
"{83B1BB30-7B06-44D3-A73E-EB8304B46A14}"= TCP:12741:BitComet 12741 UDP
"TCP Query User{1DFC98E3-7F1C-4D0B-87EC-6A368B591001}c:\\games\\steam\\steamapps\\thewatcher13\\counter-strike source\\hl2.exe"= UDP:c:\games\steam\steamapps\thewatcher13\counter-strike source\hl2.exe:hl2
"UDP Query User{C631B9C2-DE76-4DF4-97BB-4B2DEEBE869F}c:\\games\\steam\\steamapps\\thewatcher13\\counter-strike source\\hl2.exe"= TCP:c:\games\steam\steamapps\thewatcher13\counter-strike source\hl2.exe:hl2
"{1D6E63C2-0DDB-467B-B079-BF100856FE26}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{E792AB83-4028-4BD2-857F-BADD09E821BD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{C75C1977-7FD7-45B0-B245-83F5FD6B2193}"= UDP:12741:BitComet 12741 TCP
"{BDA7AE71-3488-4F97-9D30-7DDCD5BB896B}"= TCP:12741:BitComet 12741 UDP
"{1E2DF29B-296B-44EB-A8B2-59CAA6FCFAF1}"= UDP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{D7D9DAFC-6067-4B95-90B2-1C25F711E840}"= TCP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{4D9080DB-A24A-488C-A953-EA145CB69DB9}"= UDP:7121:BitComet 7121 TCP
"{CDF7C7BF-5E84-4FDD-BDA1-B53AD4966F2C}"= TCP:7121:BitComet 7121 UDP
"{234F6335-83E4-4903-ADD1-D3DBA3A74BB4}"= UDP:7121:BitComet 7121 TCP
"{1C14A6BD-F9AA-4B12-8C23-65CC56F213B5}"= TCP:7121:BitComet 7121 UDP
"{0B1AC942-7050-4E59-B0DE-4F51A800AB43}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7D46C149-CEEC-4458-8FD0-0B5E9BB53402}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{47C1DDFC-25F5-4CEE-B714-283B8BDD2291}"= UDP:c:\windows\explorer.exe:Explorer
"{B370B639-862F-4461-BE8A-A03E4660BEE8}"= TCP:c:\windows\explorer.exe:Explorer
"{D2620874-286D-4FB6-856E-A6CE61C19B5A}"= UDP:c:\windows\explorer.exe:Explorer
"{EA51ACAA-F524-45E3-AA38-4C2AD8665541}"= TCP:c:\windows\explorer.exe:Explorer
"{D7FD89FC-E84C-4AA7-971A-982FEDD69DCE}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{98C58A52-C5F3-498D-A362-EDFC8A9B6D0C}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"{E30B3D81-C398-4A34-B1E2-8CC5486EA9C0}"= UDP:c:\windows\System32\wininit.exe:wininit
"{B048647E-06BD-44E6-835D-A7F8C7F10457}"= TCP:c:\windows\System32\wininit.exe:wininit
"{F393E243-2C60-486C-8D00-D061A918E1C5}"= UDP:c:\windows\System32\wininit.exe:wininit
"{662502DD-CB31-4F72-A7AC-92E8958A8116}"= TCP:c:\windows\System32\wininit.exe:wininit
"{E67F6009-5F71-49BC-87D6-518CC1C5A1D3}"= UDP:c:\program files\Google\Update\GoogleUpdate.exe:GoogleUpdate
"{7DE5DE41-0BE6-43E1-9103-6E2E1A2E630D}"= TCP:c:\program files\Google\Update\GoogleUpdate.exe:GoogleUpdate
"{51481BFE-21C6-467A-BF49-2F15FC70D56A}"= UDP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{5F74F948-C133-404B-A4FF-CF4C21573017}"= TCP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{A26E6082-46CE-4D23-B6E4-B9833EC40DAC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{10B2DAD1-FDCC-40A0-A436-FF9A898F68E3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{0035A706-8AC0-4CF9-B73E-42212F0DF2E0}c:\\program files\\microsoft games\\gears of war\\binaries\\wargame-g4wlive.exe"= UDP:c:\program files\microsoft games\gears of war\binaries\wargame-g4wlive.exe:Gears Of War
"UDP Query User{037D8C7A-6BD7-4AFF-A8C1-D7A88B43847F}c:\\program files\\microsoft games\\gears of war\\binaries\\wargame-g4wlive.exe"= TCP:c:\program files\microsoft games\gears of war\binaries\wargame-g4wlive.exe:Gears Of War

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-06 78416]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe [2008-09-02 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-09-06 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-09-06 51280]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-03-18 24880]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-03-26 595248]
R3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 52736]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-04-01 81296]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-26 3658752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-22 43552]
R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-03-26 40752]
S2 gupdate1c93b09b07c4a9f;Google Update Service (gupdate1c93b09b07c4a9f);"c:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-10-30 133104]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe []
S3 Com4QLBEx;Com4QLBEx;"c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe" [2008-06-30 193840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36684a6d-7944-11dd-9601-001e68cbcb20}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe GSPI1113.vbs
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-30 19:35]

2008-12-06 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Tony Wu\AppData\Local\Google\Update\GoogleUpdate.exe []

2008-12-06 c:\windows\Tasks\User_Feed_Synchronization-{C0CE5D3C-3326-4349-8D03-5E30FD66960C}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 18:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7e5d7f7f-71bc-4dcc-a988-b3146cfd43f9} - c:\windows\system32\jeniguju.dll
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FireFox -: Profile - c:\users\Twu\AppData\Roaming\Mozilla\Firefox\Profiles\3ks95t5k.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.nyt.com
FF -: plugin - c:\program files\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 13:22:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\DPPWDFLT.dll


----------



## topspinwu (Oct 23, 2008)

(the combofix log was too long for one post - here's the rest of it)


- - - - - - - > 'Explorer.exe'(3076)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\stacsv.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\WUDFHost.exe
c:\windows\ehome\mcupdate.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-12-06 13:26:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 21:26:23

Pre-Run: 170,532,659,200 bytes free
Post-Run: 170,311,172,096 bytes free

399 --- E O F --- 2008-12-05 03:16:34


----------



## topspinwu (Oct 23, 2008)

And here's the hijack this log:



- - - - - - - > 'Explorer.exe'(3076)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\stacsv.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\WUDFHost.exe
c:\windows\ehome\mcupdate.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-12-06 13:26:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 21:26:23

Pre-Run: 170,532,659,200 bytes free
Post-Run: 170,311,172,096 bytes free

399 --- E O F --- 2008-12-05 03:16:34


----------



## jmw3 (Jul 23, 2007)

Hi topspinwu

Looks like you posted the lower section of the Combofix log again instead of the HijackThis log. Could you post a new Hijackthis log.

Thanks


----------



## topspinwu (Oct 23, 2008)

Sorry, here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:18 PM, on 12/6/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\RUCKUS~1\Ruckus.exe
C:\Program Files\Emergent Music LLC\Goombah Partner COM Server\dist\goombahcom.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix: 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c93b09b07c4a9f) (gupdate1c93b09b07c4a9f) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vfsFPService.exe

--
End of file - 9057 bytes


----------



## topspinwu (Oct 23, 2008)

Ran another malwarebyte's scan - nothing came up! Does it look like it's all gone?


----------



## jmw3 (Jul 23, 2007)

Just a couple of things before we go on.
It is counterproductive for you to be running fixes on your own while I am attempting to assist you in removing malware from your machine. It can make the job finding all of the malware that much harder.

I would appreciate if you would not use any P2P programs while we are attempting to clean your computer otherwise we'll be going around in circles. As long as you are using any form of *Peer-to-Peer networking* and *downloading files* from non-documented sources, you can expect infestations of malware to occur.

*Fix HiJackThis Entries*

Open HiJackThis 
Click on *Do a system scan only* 
Place a checkmark next to these lines(if still present):
*O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)*


Close all windows except Hijackthis and click *Fix Checked*
Click *Yes* when prompted
Close HijackThis.
*CFScript*
Close any open browsers.
Open *notepad* and copy/paste the text in the code box below into it:


```
DirLook::
c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
C:\cbdata

Folder::
C:\VundoFix Backups
```
Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at *"C:\ComboFix.txt"*
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix *SHOULD NOT* be used unless requested by a forum helper

To post in next reply:
Combofix log
New HijackThis log


----------



## topspinwu (Oct 23, 2008)

Sorry, I won't run any more scans! I've also stopped using P2P ever since I found the trojan on my computer.

Here's part of the combofix log

ComboFix 08-12-06.06 - Twu 2008-12-07 10:10:51.2 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.1708 [GMT -8:00]
Running from: c:\users\Twu\Desktop\ComboFix.exe
Command switches used :: c:\users\Twu\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 21:44 . 2008-12-06 21:44 d-------- c:\users\Twu\AppData\Roaming\MathWorks
2008-12-06 21:44 . 2008-12-06 21:56 158 --a------ c:\windows\matlab.ini
2008-12-06 21:37 . 2008-12-06 21:44 d-------- c:\program files\MATLAB_SV71
2008-12-06 15:58 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\System32\D3DX9_40.dll
2008-12-06 15:58 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\System32\D3DCompiler_40.dll
2008-12-06 15:58 . 2008-10-27 10:04 514,384 --a------ c:\windows\System32\XAudio2_3.dll
2008-12-06 15:58 . 2008-10-10 04:52 452,440 --a------ c:\windows\System32\d3dx10_40.dll
2008-12-06 15:58 . 2008-10-27 10:04 235,856 --a------ c:\windows\System32\xactengine3_3.dll
2008-12-06 15:58 . 2008-10-27 10:04 70,992 --a------ c:\windows\System32\XAPOFX1_2.dll
2008-12-06 15:58 . 2008-10-27 10:04 23,376 --a------ c:\windows\System32\X3DAudio1_5.dll
2008-12-06 14:50 . 2008-12-06 15:08 d-------- c:\users\Twu\AppData\Roaming\vlc
2008-11-30 11:39 . 2008-11-30 11:40 d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 11:39 . 2008-11-30 11:40 d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 11:39 . 2008-11-30 11:40 d-------- c:\program files\iTunes
2008-11-30 11:39 . 2008-11-30 11:39 d-------- c:\program files\iPod
2008-11-30 11:38 . 2008-11-30 11:39 d-------- c:\program files\QuickTime
2008-11-30 11:34 . 2008-11-30 11:34 410,976 --a------ c:\windows\System32\deploytk.dll
2008-11-30 01:31 . 2008-11-30 01:31 d-------- c:\users\Twu\AppData\Roaming\Microsoft Games
2008-11-29 21:00 . 2008-11-29 21:00 d-------- c:\program files\Common Files\Microsoft Games
2008-11-29 21:00 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\System32\d3dx9_35.dll
2008-11-29 21:00 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\System32\d3dx9_33.dll
2008-11-29 21:00 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\System32\D3DCompiler_35.dll
2008-11-29 21:00 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\System32\D3DCompiler_33.dll
2008-11-29 21:00 . 2007-07-19 18:14 444,776 --a------ c:\windows\System32\d3dx10_35.dll
2008-11-29 21:00 . 2007-03-15 16:57 443,752 --a------ c:\windows\System32\d3dx10_33.dll
2008-11-29 21:00 . 2006-09-28 16:05 237,848 --a------ c:\windows\System32\xactengine2_4.dll
2008-11-29 21:00 . 2007-04-04 18:53 81,768 --a------ c:\windows\System32\xinput1_3.dll
2008-11-28 11:03 . 2008-11-28 11:03 d-------- c:\users\Twu\AppData\Roaming\CyberLink
2008-11-28 00:27 . 2008-11-28 00:27 d-------- c:\users\All Users\WindowsSearch
2008-11-28 00:27 . 2008-11-28 00:27 d-------- c:\programdata\WindowsSearch
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\users\Twu\AppData\Roaming\Malwarebytes
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\users\All Users\Malwarebytes
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\programdata\Malwarebytes
2008-11-27 22:18 . 2008-11-27 22:18 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 22:18 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-27 22:18 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-27 18:38 . 2008-12-01 16:25 d-a------ c:\users\All Users\TEMP
2008-11-27 18:38 . 2008-12-01 16:25 d-a------ c:\programdata\TEMP
2008-11-27 18:38 . 2008-12-01 16:25 d-------- c:\program files\Spyware Doctor
2008-11-27 18:26 . 2008-11-27 18:37 d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-27 18:26 . 2008-11-27 18:37 d-------- c:\programdata\Spybot - Search & Destroy
2008-11-27 18:26 . 2008-11-27 18:37 d-------- c:\program files\Spybot - Search & Destroy
2008-11-27 18:18 . 2008-11-27 18:18 d-------- c:\program files\Trend Micro
2008-11-27 17:13 . 2008-11-27 17:13 d-------- c:\program files\[email protected]
2008-11-27 17:13 . 2008-11-27 17:13 d-------- c:\program files\Common Files\Gibinsoft Shared
2008-11-27 16:55 . 2008-11-27 16:55 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2008-11-27 15:43 . 2008-11-27 18:37 d-------- c:\users\All Users\Lavasoft
2008-11-27 15:43 . 2008-11-27 18:37 d-------- c:\programdata\Lavasoft
2008-11-25 19:47 . 2008-10-21 19:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 19:46 . 2008-10-20 21:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 19:46 . 2008-08-27 19:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 19:46 . 2008-08-27 19:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 19:46 . 2008-08-27 19:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-20 21:15 . 2008-11-20 21:15 d-------- c:\users\Twu\AppData\Roaming\Nero
2008-11-20 20:20 . 2008-11-25 01:09 d-------- c:\users\Twu\AppData\Roaming\goombah
2008-11-20 19:55 . 2008-12-07 00:25 d-------- c:\users\Twu\AppData\Roaming\Ruckus Network
2008-11-20 19:20 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-20 19:20 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-20 19:20 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-20 19:20 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-20 19:19 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-20 19:19 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-20 19:19 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-20 19:19 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-20 19:19 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-19 20:16 . 2008-12-06 20:56 d-------- c:\users\Twu\AppData\Roaming\LimeWire
2008-11-19 00:22 . 2008-11-19 00:22 0 --a------ c:\windows\nsreg.dat
2008-11-19 00:18 . 2008-11-19 00:18 d-------- c:\users\Twu\Other
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Blackberry Desktop
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Bioshock
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Apple Computer
2008-11-18 23:52 . 2008-11-18 23:52 d-------- c:\users\Twu\AppData\Roaming\Ahead
2008-11-18 23:51 . 2008-11-18 23:51 d-------- c:\users\Twu\My Games
2008-11-18 23:50 . 2008-11-18 23:50 d-------- c:\users\Twu\Downloaded Installations
2008-11-18 23:50 . 2008-11-18 23:50 d-------- c:\users\Twu\ChessBase
2008-11-18 23:50 . 2008-11-18 23:50 d-------- c:\users\Twu\Bioshock
2008-11-18 23:47 . 2008-11-18 23:47 dr------- c:\users\Twu\Searches
2008-11-18 23:47 . 2008-11-18 23:47 dr------- c:\users\Twu\Contacts
2008-11-18 23:47 . 2008-11-18 23:47 d-------- c:\users\Twu\Bluetooth Software
2008-11-18 23:47 . 2008-11-18 23:47 d-------- c:\users\Twu\AppData\Roaming\Macrovision
2008-11-18 23:47 . 2008-11-18 23:47 d-------- c:\users\Twu\AppData\Roaming\DigitalPersona
2008-11-18 23:46 . 2008-11-24 22:19 dr------- c:\users\Twu\Videos
2008-11-18 23:46 . 2008-11-19 00:13 dr------- c:\users\Twu\Saved Games
2008-11-18 23:46 . 2008-11-19 00:13 dr------- c:\users\Twu\Pictures
2008-11-18 23:46 . 2008-11-19 00:13 dr------- c:\users\Twu\Music
2008-11-18 23:46 . 2008-11-18 23:47 dr------- c:\users\Twu\Links
2008-11-18 23:46 . 2008-12-07 10:09 dr------- c:\users\Twu\Downloads
2008-11-18 23:46 . 2008-11-27 15:36 dr------- c:\users\Twu\Documents
2008-11-18 23:46 . 2006-11-02 04:37 d-------- c:\users\Twu\AppData\Roaming\Media Center Programs
2008-11-18 23:46 . 2008-11-18 23:47 d--h----- c:\users\Twu\AppData
2008-11-18 23:46 . 2008-11-29 15:54 d-------- c:\users\Twu
2008-11-13 23:21 . 2008-11-13 23:21 d-------- C:\cbdata
2008-11-13 23:21 . 2008-11-13 23:21 132 --a------ c:\windows\ChssBase.ini
2008-11-12 14:02 . 2008-09-09 19:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-12 14:02 . 2008-09-04 21:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-12 14:02 . 2008-08-26 17:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 18:17 168,333 ----a-w c:\users\All Users\nvModes.dat
2008-12-07 18:17 168,333 ----a-w c:\programdata\nvModes.dat
2008-12-06 22:08 --------- d-----w c:\program files\Common Files\AOL
2008-12-06 02:30 --------- d-----w c:\program files\Common Files\Steam
2008-11-30 19:39 --------- d-----w c:\program files\Common Files\Apple
2008-11-30 19:34 --------- d-----w c:\program files\Java
2008-11-30 18:49 --------- d-----w c:\program files\Google
2008-11-30 05:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 04:10 --------- d-----w c:\program files\Microsoft Games
2008-11-28 02:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-17 01:06 --------- d-----w c:\program files\BitComet
2008-11-17 00:57 --------- d-----w c:\programdata\Microsoft Help
2008-11-16 08:18 --------- d-----w c:\programdata\FLEXnet
2008-11-13 05:26 --------- d-----w c:\program files\Common Files\Adobe
2008-11-08 03:03 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-11-05 01:28 --------- d-----w c:\programdata\Hewlett-Packard
2008-11-05 01:12 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-10-23 04:18 --------- d-----w c:\program files\Stardock
2008-10-23 04:18 --------- d-----w c:\program files\Common Files\Stardock
2008-10-23 04:01 --------- d-----w c:\program files\Rekenwonder Software
2008-10-23 00:21 21,248 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2008-10-22 04:13 --------- d-----w c:\program files\vixy.net
2008-10-22 01:41 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-17 08:56 --------- d-----w c:\programdata\MakeMusic
2008-10-17 08:36 --------- d-----w c:\program files\TI Education
2008-10-17 08:36 --------- d-----w c:\program files\Common Files\TI Shared
2008-10-16 01:16 --------- d-----w c:\program files\Windows Mail
2008-10-11 00:44 --------- d-----w c:\program files\Common Files\SupportSoft
2008-10-11 00:07 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-06 19:51 20,224 ----a-w c:\windows\Help\OEM\scripts\HC_checkMUI.dll
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-07 05:50 43,698 ----a-w c:\windows\System32\xvid-uninstall.exe
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\cbdata ----

---- Directory of c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} ----

2008-07-04 13:35 54632 --a------ c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe 
2008-04-24 08:25 11168 --a------ c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat 
2008-04-17 13:12 319456 --a------ c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll 
2008-04-17 13:12 2761 --a------ c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf 
2008-04-17 13:12 15464 --a------ c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys 
2008-04-17 13:12 107368 --a------  c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll

---- Directory of c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} ----

2008-07-04 13:35 54632 --a------ c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe 
2008-04-24 08:25 11168 --a------ c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat 
2008-04-17 13:12 319456 --a------ c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll 
2008-04-17 13:12 2761 --a------ c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf 
2008-04-17 13:12 15464 --a------ c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys 
2008-04-17 13:12 107368 --a------ c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll

((((((((((((((((((((((((((((( [email protected]_13.25.26.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 07:04:35 51,200 ----a-w c:\windows\inf\infpub.dat
+ 2008-12-07 04:34:40 51,200 ----a-w c:\windows\inf\infpub.dat
- 2008-12-06 07:04:35 143,360 ----a-w c:\windows\inf\infstrng.dat
+ 2008-12-07 04:34:40 143,360 ----a-w c:\windows\inf\infstrng.dat
- 2008-12-06 21:22:08 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-12-07 18:17:46 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-12-06 21:22:08 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-12-07 18:17:47 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-12-06 20:40:21 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-07 18:15:52 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-06 20:40:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 18:15:52 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-06 20:40:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-07 18:15:52 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-06 21:17:38 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-07 18:10:18 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-12-06 20:46:31 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-07 04:37:46 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-06 20:46:31 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-07 04:37:46 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-06 20:43:22 5,246 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1664020365-2243732171-4037371195-1002_UserData.bin
+ 2008-12-07 03:18:42 5,722 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1664020365-2243732171-4037371195-1002_UserData.bin
- 2008-12-06 20:43:21 90,622 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 18:18:41 90,724 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-06 20:43:16 52,052 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 03:18:40 52,052 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-12-04 02:49:15 316,622 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-12-07 18:01:52 317,672 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-27 442467]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-23 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-01 554288]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-03-12 699456]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600]

c:\users\Twu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-10-22 3450608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-01-16 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Twu^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
--a------ 2008-04-15 12:42 70912 c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 20:52 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2008-04-15 16:54 178712 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 18:10 1688872 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-07-12 11:43 226904 c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 13:21 2213160 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 13:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-06-16 00:52 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-12-24 14:55 222504 c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LayoutM]
--a------ 2004-08-26 13:17 45056 c:\windows\KLayMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001


----------



## topspinwu (Oct 23, 2008)

and here's the rest 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{38A8A3CB-194D-4642-9241-65746DC00FCD}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{231C7D6C-BDAC-4CF0-8543-9D7F8F2E3F75}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{3B380C9C-C4F6-4EE0-A9F9-A6DABD1E775A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{945849F3-B3CB-403D-853B-C61874FF3EDC}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ACE11C2A-E253-4372-AE27-63B2DF422086}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7553F324-2FB0-4CF9-8243-166B4F7576C6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{21402BD9-5763-4EB1-B755-A81F3AE9E605}"= UDP:c:\games\UT3\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"{8BBE06CB-5714-4DC8-9FBF-DC3BEC191036}"= TCP:c:\games\UT3\Binaries\UT3Demo.exe:Unreal Tournament 3 Demo
"{B68FC378-6387-47FA-8771-9CF278F0827C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{ECB04915-6BF3-4C21-A550-0170A8EBD2E4}"= UDP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{6DCFA35F-B7EE-4E1F-B580-431FC9EDCA4D}"= TCP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"TCP Query User{AC84D7AA-2C6E-47ED-937A-74A77F8A83B7}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{22E0AB52-CB54-4259-B841-047E9F9CF435}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{98F1B6C6-6A07-4A4C-B06C-22AA818F91E1}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{136C8ED4-42A0-49E4-B185-015C197B7F89}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{4923301F-501E-4E67-A124-E754A71F035F}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{71AA5B66-0746-44FF-BBED-4A498DB5BCE9}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{8E75D3C7-E444-4AD0-9F02-E027EA497F4C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ADD27F9B-C088-46CE-9F43-6E5BBC2ECDAD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{17F5D4F4-69DE-4012-A1AB-2E3A5A720C7B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{414E9097-894B-42F2-B39E-F7AA6ABBAD88}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{F56D7DFC-CB76-47A5-973E-980298B89CC8}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{EAD1F5D3-1479-411E-A24D-76984F9A4631}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"{1E7565FA-772A-46EC-8EB8-C63B6CABB73C}"= UDP:12741:BitComet 12741 TCP
"{83B1BB30-7B06-44D3-A73E-EB8304B46A14}"= TCP:12741:BitComet 12741 UDP
"TCP Query User{1DFC98E3-7F1C-4D0B-87EC-6A368B591001}c:\\games\\steam\\steamapps\\thewatcher13\\counter-strike source\\hl2.exe"= UDP:c:\games\steam\steamapps\thewatcher13\counter-strike source\hl2.exe:hl2
"UDP Query User{C631B9C2-DE76-4DF4-97BB-4B2DEEBE869F}c:\\games\\steam\\steamapps\\thewatcher13\\counter-strike source\\hl2.exe"= TCP:c:\games\steam\steamapps\thewatcher13\counter-strike source\hl2.exe:hl2
"{1D6E63C2-0DDB-467B-B079-BF100856FE26}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{E792AB83-4028-4BD2-857F-BADD09E821BD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{C75C1977-7FD7-45B0-B245-83F5FD6B2193}"= UDP:12741:BitComet 12741 TCP
"{BDA7AE71-3488-4F97-9D30-7DDCD5BB896B}"= TCP:12741:BitComet 12741 UDP
"{1E2DF29B-296B-44EB-A8B2-59CAA6FCFAF1}"= UDP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{D7D9DAFC-6067-4B95-90B2-1C25F711E840}"= TCP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{4D9080DB-A24A-488C-A953-EA145CB69DB9}"= UDP:7121:BitComet 7121 TCP
"{CDF7C7BF-5E84-4FDD-BDA1-B53AD4966F2C}"= TCP:7121:BitComet 7121 UDP
"{234F6335-83E4-4903-ADD1-D3DBA3A74BB4}"= UDP:7121:BitComet 7121 TCP
"{1C14A6BD-F9AA-4B12-8C23-65CC56F213B5}"= TCP:7121:BitComet 7121 UDP
"{0B1AC942-7050-4E59-B0DE-4F51A800AB43}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7D46C149-CEEC-4458-8FD0-0B5E9BB53402}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{47C1DDFC-25F5-4CEE-B714-283B8BDD2291}"= UDP:c:\windows\explorer.exe:Explorer
"{B370B639-862F-4461-BE8A-A03E4660BEE8}"= TCP:c:\windows\explorer.exe:Explorer
"{D2620874-286D-4FB6-856E-A6CE61C19B5A}"= UDP:c:\windows\explorer.exe:Explorer
"{EA51ACAA-F524-45E3-AA38-4C2AD8665541}"= TCP:c:\windows\explorer.exe:Explorer
"{D7FD89FC-E84C-4AA7-971A-982FEDD69DCE}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{98C58A52-C5F3-498D-A362-EDFC8A9B6D0C}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"{E30B3D81-C398-4A34-B1E2-8CC5486EA9C0}"= UDP:c:\windows\System32\wininit.exe:wininit
"{B048647E-06BD-44E6-835D-A7F8C7F10457}"= TCP:c:\windows\System32\wininit.exe:wininit
"{F393E243-2C60-486C-8D00-D061A918E1C5}"= UDP:c:\windows\System32\wininit.exe:wininit
"{662502DD-CB31-4F72-A7AC-92E8958A8116}"= TCP:c:\windows\System32\wininit.exe:wininit
"{E67F6009-5F71-49BC-87D6-518CC1C5A1D3}"= UDP:c:\program files\Google\Update\GoogleUpdate.exe:GoogleUpdate
"{7DE5DE41-0BE6-43E1-9103-6E2E1A2E630D}"= TCP:c:\program files\Google\Update\GoogleUpdate.exe:GoogleUpdate
"{51481BFE-21C6-467A-BF49-2F15FC70D56A}"= UDP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{5F74F948-C133-404B-A4FF-CF4C21573017}"= TCP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{A26E6082-46CE-4D23-B6E4-B9833EC40DAC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{10B2DAD1-FDCC-40A0-A436-FF9A898F68E3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{0035A706-8AC0-4CF9-B73E-42212F0DF2E0}c:\\program files\\microsoft games\\gears of war\\binaries\\wargame-g4wlive.exe"= UDP:c:\program files\microsoft games\gears of war\binaries\wargame-g4wlive.exe:Gears Of War
"UDP Query User{037D8C7A-6BD7-4AFF-A8C1-D7A88B43847F}c:\\program files\\microsoft games\\gears of war\\binaries\\wargame-g4wlive.exe"= TCP:c:\program files\microsoft games\gears of war\binaries\wargame-g4wlive.exe:Gears Of War
"TCP Query User{1D7EDC2E-C4A9-47A8-857F-26AD5790F6F9}c:\\games\\left 4 dead\\left4dead.exe"= UDP:c:\games\left 4 dead\left4dead.exe:left4dead
"UDP Query User{796226A0-272F-42E5-813E-5B5798112508}c:\\games\\left 4 dead\\left4dead.exe"= TCP:c:\games\left 4 dead\left4dead.exe:left4dead
"{C252C38B-721D-4E5B-85E2-602F121D68E3}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5E99EFFB-567F-446B-A044-8DA8F44090EC}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{D14F7148-0CBC-413E-A391-1837F7195217}c:\\program files\\matlab_sv71\\bin\\win32\\matlab.exe"= UDP:c:\program files\matlab_sv71\bin\win32\matlab.exe:MATLAB
"UDP Query User{E77AC5B3-089D-4B4E-B254-58E40DD29D56}c:\\program files\\matlab_sv71\\bin\\win32\\matlab.exe"= TCP:c:\program files\matlab_sv71\bin\win32\matlab.exe:MATLAB
"TCP Query User{34C5C0CD-CABD-453A-B30B-FFF16AF91F39}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{4087A9FA-4FC9-4D5C-AE53-1472EF33A42E}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-06 78416]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe [2008-09-02 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-09-06 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-09-06 51280]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-03-18 24880]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-03-26 595248]
R3 Com4QLBEx;Com4QLBEx;"c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe" [2008-06-30 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 52736]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-04-01 81296]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-26 3658752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-22 43552]
R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-03-26 40752]
S2 gupdate1c93b09b07c4a9f;Google Update Service (gupdate1c93b09b07c4a9f);"c:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-10-30 133104]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13e02bfe-7958-11dd-9d4e-806e6f6e6963}]
\shell\AutoRun\command - E:\autorun.exe
\shell\setup\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-30 19:35]

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Tony Wu\AppData\Local\Google\Update\GoogleUpdate.exe []

2008-12-07 c:\windows\Tasks\User_Feed_Synchronization-{C0CE5D3C-3326-4349-8D03-5E30FD66960C}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 18:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FireFox -: Profile - c:\users\Twu\AppData\Roaming\Mozilla\Firefox\Profiles\3ks95t5k.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.nyt.com
FF -: plugin - c:\program files\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 10:17:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\DPPWDFLT.dll

- - - - - - - > 'Explorer.exe'(5692)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\stacsv.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-07 10:22:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 18:22:22

Pre-Run: 170,709,962,752 bytes free
Post-Run: 170,689,003,520 bytes free

443 --- E O F --- 2008-12-05 03:16:34


----------



## topspinwu (Oct 23, 2008)

followed by the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:00 AM, on 12/7/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix: 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c93b09b07c4a9f) (gupdate1c93b09b07c4a9f) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vfsFPService.exe

--
End of file - 8587 bytes


----------



## jmw3 (Jul 23, 2007)

Logs look good topspinwu. How's the computer running?

*ATF Cleaner*
Download *ATF Cleaner* *here* by Atribune. 

Double-click *ATF-Cleaner.exe* to run the program 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All* 
Click the *Empty Selected* button 
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt 
If you use Opera browser
Click *Opera* at the top and choose: *Select All* 
Click the *Empty Selected* button 
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt
Click *Exit* on the Main menu to close the program.

*Kaspersky Online Scan*
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select *Run As Administrator* to run it
Go to *Kaspersky website* and perform an online antivirus scan

Read through the requirements and privacy statement and click on *Accept* button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*
When the downloads have finished, click on *Settings*
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the *Save* button:
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*
Once the scan is complete, it will display the results. Click on *View Scan Report*
You will see a list of infected items there. Click on *Save Report As...*
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply *along with a new HijackThis log*


----------



## topspinwu (Oct 23, 2008)

The Kapersky scan reported these infected objects:

C:\Program Files\CrossLoop\VNCHooks.dllInfected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b1

C:\Program Files\CrossLoop\winvnc.exeInfected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h1

C:\Qoobox\Quarantine\C\Windows\System32\tinonere.dll.virInfected: Trojan.Win32.Monder.aamw1

C:\Qoobox\Quarantine\C\Windows\System32\zufajudi.dll.virInfected: Trojan.Win32.Monder.aamw1

C:\Qoobox\Quarantine\C\Windows\System32\zugeyale.dll.virInfected: Trojan-Spy.Win32.Agent.fdp1

C:\Users\Twu\Documents\Tony's Cache\Important Applications\xp utilities\xpbootcd.zipInfected: Trojan.DOS.KillCMOS.k1

C:\Users\Twu\Documents\Tony's Cache\Important Applications\xp utilities\xpbootcd.zipInfected: Trojan.DOS.KillCMOS.c1





However, Crossloop is legit I think, and the other trojans are all in the quarantine created by combofix. 


The only other problem I can observe is that web browsing is kind of hitchy. Javascript doesn't really load correctly without several browser refreshes and pages don't render at all as fast as they did before I got the virus attack. Do you know if this might actually be the case? Or am I just imagining things...

Thanks for all your help!


----------



## jmw3 (Jul 23, 2007)

Hi topspinwu

CrossLoop is fine. No need to worry about it.



> Javascript doesn't really load correctly without several browser refreshes


Have you tried updating Java. The current version is *Java Runtime Environment Version 6 Update 11*
*Update Java Runtime*


Go to *http://java.sun.com/javase/downloads/index.jsp*
Scroll down to *Java Runtime Environment (JRE) 6 Update 11* and click on the *Download* button
In the Platform box choose Windows
Check the box to *Accept License Agreement* and click *Continue*
Click on *Windows Offline Installation*, click on the link under it which says *"jre-6u11-windows-i586-p.exe"* and save the downloaded file to your desktop
Install the new version by running the downloaded file with the Java icon & follow the on-screen instructions
Reboot your computer



> and pages don't render at all as fast as they did before I got the virus attack.


Only thing I can suggest here is a re-insatll of Firefox. It may fix the problem.

*Remove Combofix*
Click on *Start* > *Run*. Copy and paste in *ComboFix /u* and click *OK*.
















Then post a new Hijackthis log for review.


----------



## topspinwu (Oct 23, 2008)

here's the log from hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:19 PM, on 12/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Twu\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Twu\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix: 
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_030ac640\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c93b09b07c4a9f) (gupdate1c93b09b07c4a9f) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vfsFPService.exe

--
End of file - 8751 bytes


----------



## jmw3 (Jul 23, 2007)

*All Clean*
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

*Microsoft Windows Update*
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
*To update Windows*
Go to *Start* > *All Programs* > *Windows Update*
*To update Office*
Open up any Office program.
Go to *Help* > *Check for Updates*

*Malwarebytes' Anti-Malware*
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it *here* & find a tutorial *here*.

*SpywareBlaster*
Download and install Javacools SpywareBlaster from *here* 
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

*Download and Install a HOSTS File*
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just *HOSTS* with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

*Download BlueTack's HOSTS Manager* *here*, using Internet Explorer (Firefox won't work):

A short distance down the page in the centre, click on the *Download* button
Agree to the license
On the next page, to the right side of where it says *Download Estimates*, right click on the underlined word *Hosts Manager* choose *Save Target As* and download the installer *Hosts20setup.exe* to your desktop
Double click the Installer on your desktop and let it *Install the Hosts Manager*
After the installation is complete, click on the *Hosts Manager* icon on your desktop. (You can delete the other *Hosts Switch* icon from your desktop)
When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled *Options and Tools*,
Click *Disable DNS Service*. *This is important*
In the Left Pane, click *Download*
It will load 80,000 lines or more. When it finishes, also in the left pane, click *Replace*, and then click *Save*
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

*Install WinPatrol*
Download it *here*
You can find information about how WinPatrol works *here*

Looking over your log, it seems* you don't have* any evidence of a third party *firewall*.

As the term conveys, a *firewall* is an extra layer of security installed onto computers, which restricts access to systems from the outside world.* Firewalls protect against hackers and malicious intruders.* I want you to download a free firewall *NOW* from one of these excellent vendors:

*1)**Webroot Desktop Firewall* (Registration is needed to download the firewall)
*2)**PC Tools Firewall Plus*
*3)**Netchina S3 2008*
*4)* *ZoneAlarm* (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

_If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time._

*Read some information* *here* on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

*Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!*
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


----------



## topspinwu (Oct 23, 2008)

thank you so much!


----------



## jmw3 (Jul 23, 2007)

Your welcome topspinwu

Stay safe


----------

