# Solved: MS Juan causing problems!



## Parenthesis (Feb 10, 2008)

Hi,

When I boot my computer I get these windows (1 or 2) that say:



> Error in: Users\Alex\AppData\Local\Temp\mtyunqkg.dll
> 
> Missing entry: run


Then along with that when I click to open control panel or any folder, it opens for few seconds then closes quickly.

I recently installed Spybot Search and destroy and it has a function to warn me of registry changes and that's how I found that MS Juan is at times attempting to edit or destroy->add registry entries, ones with names much like Users\Alex\AppData\Local\Temp\mtyunqkg.dll, but with different gibberish for the dll.

Thanks a lot in advance 

Here is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:29 PM, on 2/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Alex\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Alex.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter 
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Alex\AppData\Local\Temp\nnnol.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Alex\AppData\Local\Temp\rqomn.dll,c
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\Users\Alex\AppData\Local\Temp\rsjvnwxq.dll",run
O4 - HKCU\..\Run: [147fba20] rundll32.exe "C:\Users\Alex\AppData\Local\Temp\wllsamqo.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10680 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Parenthesis* 

Welcome.

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## Parenthesis (Feb 10, 2008)

ComboFix 08-02-17.2 - Alex 2008-02-18 15:09:00.1 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.271 [GMT -5:00]
Running from: C:\Users\Alex\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-15 18:06 . 2008-01-10 00:50	1,244,672	--a------	C:\Windows\System32\mcmde.dll
2008-02-13 19:48 . 2008-02-13 19:48	194,560	--a------	C:\Windows\System32\WebClnt.dll
2008-02-13 19:48 . 2008-02-13 19:48	110,080	--a------	C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 19:46 . 2008-02-13 19:46	613,888	--a------	C:\Windows\System32\wpd_ci.dll
2008-02-13 19:46 . 2008-02-13 19:46	224,824	--a------	C:\Windows\System32\clfs.sys
2008-02-13 19:46 . 2008-02-13 19:46	19,456	--a------	C:\Windows\System32\cfgmgr32.dll
2008-02-13 19:41 . 2008-02-13 19:41	3,504,696	--a------	C:\Windows\System32\ntkrnlpa.exe
2008-02-13 19:41 . 2008-02-13 19:41	3,470,392	--a------	C:\Windows\System32\ntoskrnl.exe
2008-02-13 19:41 . 2008-02-13 19:41	154,624	--a------	C:\Windows\System32\drivers\nwifi.sys
2008-02-13 19:41 . 2008-02-13 19:41	109,624	--a------	C:\Windows\System32\drivers\ataport.sys
2008-02-13 19:41 . 2008-02-13 19:41	45,112	--a------	C:\Windows\System32\drivers\pciidex.sys
2008-02-13 19:41 . 2008-02-13 19:41	21,560	--a------	C:\Windows\System32\drivers\atapi.sys
2008-02-13 19:41 . 2008-02-13 19:41	15,928	--a------	C:\Windows\System32\drivers\pciide.sys
2008-02-13 19:40 . 2008-02-13 19:40	803,328	--a------	C:\Windows\System32\drivers\tcpip.sys
2008-02-13 19:40 . 2008-02-13 19:40	216,632	--a------	C:\Windows\System32\drivers\netio.sys
2008-02-13 19:40 . 2008-02-13 19:40	167,424	--a------	C:\Windows\System32\tcpipcfg.dll
2008-02-13 19:40 . 2008-02-13 19:40	24,064	--a------	C:\Windows\System32\netcfg.exe
2008-02-13 19:40 . 2008-02-13 19:40	22,016	--a------	C:\Windows\System32\netiougc.exe
2008-02-13 19:39 . 2008-02-13 19:39	4,247,552	--a------	C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 19:39 . 2008-02-13 19:39	1,686,528	--a------	C:\Windows\System32\gameux.dll
2008-02-13 18:23 . 2008-02-13 19:23 d--------	C:\Users\All Users\Spybot - Search & Destroy
2008-02-13 18:23 . 2008-02-13 19:23 d--------	C:\ProgramData\Spybot - Search & Destroy
2008-02-13 18:23 . 2008-02-13 18:23 d--------	C:\Program Files\Spybot - Search & Destroy
2008-02-12 23:06 . 2008-02-12 23:06 d--------	C:\Deckard
2008-02-12 03:09 . 2008-02-12 03:09 d--------	C:\Users\Alex\AppData\Roaming\acccore
2008-02-11 23:39 . 2008-02-11 23:39 d--------	C:\Users\All Users\Viewpoint
2008-02-11 23:39 . 2008-02-11 23:39 d--------	C:\ProgramData\Viewpoint
2008-02-11 23:39 . 2008-02-11 23:44 d--------	C:\Program Files\Viewpoint
2008-02-11 23:38 . 2008-02-12 00:19 d--------	C:\Users\All Users\AOL OCP
2008-02-11 23:38 . 2008-02-11 23:38 d--------	C:\Users\All Users\AOL
2008-02-11 23:38 . 2008-02-12 00:19 d--------	C:\ProgramData\AOL OCP
2008-02-11 23:38 . 2008-02-11 23:38 d--------	C:\ProgramData\AOL
2008-02-11 23:38 . 2008-02-11 23:38 d--------	C:\Program Files\Common Files\AOL
2008-02-11 23:34 . 2008-02-12 00:17 d--------	C:\Program Files\AIM6
2008-02-11 23:33 . 2008-02-12 00:17	433	--ah-----	C:\IPH.PH
2008-02-11 18:38 . 2008-01-12 18:32	23,904	--a------	C:\Windows\System32\drivers\COH_Mon.sys
2008-02-11 18:38 . 2008-01-15 09:54	10,537	--a------	C:\Windows\System32\drivers\COH_Mon.cat
2008-02-11 18:38 . 2008-01-15 05:28	706	--a------	C:\Windows\System32\drivers\COH_Mon.inf
2008-02-10 16:39 . 2008-02-10 16:40 d--------	C:\Users\Alex\.SunDownloadManager
2008-02-10 15:22 . 2008-02-10 15:22 d--------	C:\Users\Alex\DoctorWeb
2008-02-10 13:39 . 2008-02-10 13:39 d--------	C:\Program Files\SpywareBlaster
2008-02-10 13:39 . 2005-08-25 18:19	115,920	--a------	C:\Windows\System32\MSINET.OCX
2008-02-10 13:00 . 2008-02-10 13:00 d--------	C:\Program Files\Trend Micro
2008-02-08 13:55 . 2008-02-08 13:55 d--------	C:\Users\All Users\FLEXnet
2008-02-08 13:55 . 2008-02-08 13:55 d--------	C:\ProgramData\FLEXnet
2008-02-08 13:44 . 2008-02-08 13:44 d--------	C:\Program Files\Bonjour
2008-02-08 13:30 . 2008-02-08 13:30 d--------	C:\Program Files\Common Files\Macrovision Shared
2008-02-08 02:40 . 2008-02-18 14:48 d--------	C:\Users\Alex\AppData\Roaming\FileZilla
2008-02-08 02:38 . 2008-02-08 02:38 d--------	C:\Program Files\FileZilla FTP Client
2008-02-07 13:45 . 2008-02-08 14:13 d--------	C:\Users\Alex\AppData\Roaming\uTorrent
2008-02-07 13:45 . 2008-02-07 13:45 d--------	C:\Program Files\uTorrent
2008-02-01 20:42 . 2008-02-01 20:42 d--------	C:\Users\Alex\AppData\Roaming\DivX
2008-01-29 14:51 . 2008-01-29 14:52 d--------	C:\Program Files\DivX
2008-01-29 14:51 . 2008-01-29 14:51 d--------	C:\Program Files\Common Files\PX Storage Engine
2008-01-29 14:43 . 2008-01-29 14:43 d--------	C:\Program Files\Xvid
2008-01-27 23:54 . 2008-01-27 23:54 d--------	C:\Users\All Users\LightScribe
2008-01-27 23:54 . 2008-01-27 23:54 d--------	C:\ProgramData\LightScribe
2008-01-23 10:59 . 2008-01-23 10:59 d--------	C:\Users\Alex\AbiSuite
2008-01-22 20:41 . 2008-01-22 20:41 d--------	C:\Program Files\AbiSuite2
2008-01-22 16:36 . 2008-01-22 16:42 d--hsc---	C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 16:35 . 2008-01-22 16:43 d--------	C:\Program Files\Windows Live
2008-01-22 16:34 . 2008-01-22 16:34 d--------	C:\Users\All Users\WLInstaller
2008-01-22 16:34 . 2008-01-22 16:34 d--------	C:\ProgramData\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 05:51	---------	d-----w	C:\Program Files\PokerStars
2008-02-17 20:08	27,240	----a-w	C:\Users\Alex\AppData\Roaming\nvModes.dat
2008-02-14 04:42	---------	d-----w	C:\ProgramData\Symantec
2008-02-14 04:42	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-02-14 00:46	101,888	----a-w	C:\Windows\System32\drvinst.exe
2008-02-14 00:39	537,600	----a-w	C:\Windows\AppPatch\AcLayers.dll
2008-02-14 00:39	449,536	----a-w	C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 00:39	2,144,256	----a-w	C:\Windows\AppPatch\AcGenral.dll
2008-02-14 00:39	173,056	----a-w	C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 00:33	824,832	----a-w	C:\Windows\System32\wininet.dll
2008-02-14 00:33	56,320	----a-w	C:\Windows\System32\iesetup.dll
2008-02-14 00:33	52,736	----a-w	C:\Windows\AppPatch\iebrshim.dll
2008-02-14 00:33	26,624	----a-w	C:\Windows\System32\ieUnatt.exe
2008-02-11 23:38	---------	d-----w	C:\Program Files\Norton Internet Security
2008-02-08 20:07	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-02-08 20:06	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-02-08 18:44	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-07 18:11	---------	d-----w	C:\Users\Alex\AppData\Roaming\Hewlett-Packard
2008-01-13 21:55	---------	d-----w	C:\Users\Alex\AppData\Roaming\AVS4YOU
2008-01-13 21:55	---------	d-----w	C:\ProgramData\AVS4YOU
2008-01-13 21:54	---------	d-----w	C:\Program Files\Common Files\AVSMedia
2008-01-13 21:54	---------	d-----w	C:\Program Files\AVS4YOU
2008-01-13 06:50	---------	d-----w	C:\Program Files\Rhapsody
2008-01-09 23:09	---------	d-----w	C:\Users\Alex\AppData\Roaming\InstallShield
2008-01-09 08:39	---------	d-----w	C:\Program Files\Windows Sidebar
2008-01-09 08:39	---------	d-----w	C:\Program Files\Windows Mail
2008-01-09 08:06	211,000	----a-w	C:\Windows\system32\drivers\volsnap.sys
2008-01-09 08:06	1,060,920	----a-w	C:\Windows\system32\drivers\ntfs.sys
2008-01-09 08:05	11,776	----a-w	C:\Windows\System32\sbunattend.exe
2008-01-04 21:59	524,288	----a-w	C:\Windows\System32\DivXsm.exe
2008-01-04 21:58	3,596,288	----a-w	C:\Windows\System32\qt-dx331.dll
2008-01-04 21:58	200,704	----a-w	C:\Windows\System32\ssldivx.dll
2008-01-04 21:58	129,784	------w	C:\Windows\System32\PxAFS.DLL
2008-01-04 21:58	1,044,480	----a-w	C:\Windows\System32\libdivx.dll
2008-01-04 21:57	823,296	----a-w	C:\Windows\System32\divx_xx0c.dll
2008-01-04 21:57	823,296	----a-w	C:\Windows\System32\divx_xx07.dll
2008-01-04 21:57	81,920	----a-w	C:\Windows\System32\dpl100.dll
2008-01-04 21:57	802,816	----a-w	C:\Windows\System32\divx_xx11.dll
2008-01-04 21:57	682,496	----a-w	C:\Windows\System32\DivX.dll
2008-01-04 21:57	593,920	----a-w	C:\Windows\System32\dpuGUI11.dll
2008-01-04 21:57	57,344	----a-w	C:\Windows\System32\dpv11.dll
2008-01-04 21:57	53,248	----a-w	C:\Windows\System32\dpuGUI10.dll
2008-01-04 21:57	344,064	----a-w	C:\Windows\System32\dpus11.dll
2008-01-04 21:57	294,912	----a-w	C:\Windows\System32\dpu11.dll
2008-01-04 21:57	294,912	----a-w	C:\Windows\System32\dpu10.dll
2008-01-04 21:57	196,608	----a-w	C:\Windows\System32\dtu100.dll
2008-01-04 21:56	156,992	----a-w	C:\Windows\System32\DivXCodecVersionChecker.exe
2008-01-04 21:56	12,288	----a-w	C:\Windows\System32\DivXWMPExtType.dll
2007-12-28 01:14	805	----a-w	C:\Windows\system32\drivers\SYMEVENT.INF
2007-12-28 01:14	123,952	----a-w	C:\Windows\system32\drivers\SYMEVENT.SYS
2007-12-28 01:14	10,740	----a-w	C:\Windows\system32\drivers\SYMEVENT.CAT
2007-12-28 01:14	---------	d-----w	C:\Program Files\Symantec
2007-12-25 08:58	0	--sha-r	C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv6500 Notebook PC_Y5335KV_0U_QCNF7461T8K_E445841-003_4A_I30CF_SQuanta_V85.17_F.07_T070809_WV3-0_L409_M959_J160_7AMD_8F81_91.80_#071225_N10DE054C_(GS662UA#ABA)_XMOBILE_CN10_Z_2Rev 1.MRK
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Templates
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Start Menu
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Favorites
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Documents
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Desktop
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Application Data
2007-12-21 14:05	---------	d-----w	C:\Users\Alex\AppData\Roaming\HP
2007-12-21 14:05	---------	d-----w	C:\Users\Alex\AppData\Roaming\CyberLink
2007-12-21 14:05	---------	d-----w	C:\ProgramData\HP
2007-12-20 18:45	---------	d-----w	C:\ProgramData\Yahoo! Companion
2007-12-20 15:28	---------	d-----w	C:\ProgramData\Hewlett-Packard
2007-12-20 04:40	174	--sha-w	C:\Program Files\desktop.ini
2007-12-20 03:45	---------	d-----w	C:\Program Files\Windows Calendar
2007-12-19 22:12	87,040	----a-w	C:\Windows\System32\msoert2.dll
2007-12-19 22:12	704,000	----a-w	C:\Windows\System32\PhotoScreensaver.scr
2007-12-19 22:12	39,424	----a-w	C:\Windows\System32\ACCTRES.dll
2007-12-19 22:12	205,824	----a-w	C:\Windows\System32\msoeacct.dll
2007-12-19 22:09	8,147,968	----a-w	C:\Windows\System32\wmploc.DLL
2007-12-19 22:09	7,680	----a-w	C:\Windows\System32\spwmp.dll
2007-12-19 22:09	4,096	----a-w	C:\Windows\System32\dxmasf.dll
2007-12-19 22:09	356,864	----a-w	C:\Windows\System32\MediaMetadataHandler.dll
2007-12-19 22:08	86,016	----a-w	C:\Windows\System32\icfupgd.dll
2007-12-19 22:08	63,488	----a-w	C:\Windows\system32\drivers\mpsdrv.sys
2007-12-19 22:08	61,952	----a-w	C:\Windows\System32\cmifw.dll
2007-12-19 22:08	396,800	----a-w	C:\Windows\System32\MPSSVC.dll
2007-12-19 22:08	392,192	----a-w	C:\Windows\System32\FirewallAPI.dll
2007-12-19 22:08	23,040	----a-w	C:\Windows\system32\drivers\tunnel.sys
2007-12-19 22:08	178,688	----a-w	C:\Windows\System32\iphlpsvc.dll
2007-12-19 22:08	16,896	----a-w	C:\Windows\System32\wfapigp.dll
2007-12-19 22:08	15,360	----a-w	C:\Windows\system32\drivers\TUNMP.SYS
2007-12-19 22:07	1,191,936	----a-w	C:\Windows\System32\msxml3.dll
2007-12-19 22:06	8,704	----a-w	C:\Windows\System32\hcrstco.dll
2007-12-19 22:06	8,704	----a-w	C:\Windows\System32\hccoin.dll
2007-12-19 22:06	5,888	----a-w	C:\Windows\system32\drivers\usbd.sys
2007-12-19 22:06	38,400	----a-w	C:\Windows\system32\drivers\usbehci.sys
2007-12-19 22:06	224,768	----a-w	C:\Windows\system32\drivers\usbport.sys
2007-12-19 22:06	193,536	----a-w	C:\Windows\system32\drivers\usbhub.sys
2007-12-19 22:06	19,456	----a-w	C:\Windows\system32\drivers\usbohci.sys
2007-12-19 22:05	1,327,104	----a-w	C:\Windows\System32\quartz.dll
2007-12-19 22:04	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL
2007-12-19 22:04	82,432	----a-w	C:\Windows\system32\drivers\sdbus.sys
2007-12-19 22:04	223,232	----a-w	C:\Windows\System32\WMASF.DLL
2007-12-19 22:03	57,856	----a-w	C:\Windows\System32\SLUINotify.dll
2007-12-19 22:03	566,784	----a-w	C:\Windows\System32\SLCommDlg.dll
2007-12-19 22:03	39,936	----a-w	C:\Windows\System32\slcinst.dll
2007-12-19 22:03	351,232	----a-w	C:\Windows\System32\SLUI.exe
2007-12-19 22:03	33,280	----a-w	C:\Windows\System32\slwmi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 07:34 2159104 C:\Windows\System32\oobefldr.dll]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:35 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\Alex\AppData\Local\Temp\rqomn.dll" [2008-02-08 14:19 338432]
"147fba20"="C:\Users\Alex\AppData\Local\Temp\rmhjklje.dll" [2008-02-17 15:08 87616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-04 04:57 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 22:36 827392]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 20:11 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 13:38 159744]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-08 21:57 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-08 21:57 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-08 21:57 81920]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 15:18 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 18:12 317128]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-04 06:36 77824]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 04:45 222208]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 03:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 02:01:50 734872]
Vongo Tray.lnk - C:\Windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 06:09:25 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-03-20 17:23 1773568 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 15:26 484904 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080122.002\IDSvix86.sys [2007-12-04 17:51]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 11:44]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 18:50]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-01-03 10:43]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 03:12:38 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Alex.job"
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-02-18 08:14:12 C:\Windows\Tasks\User_Feed_Synchronization-{6399A787-DD9E-4E4D-A9EE-22D31430730D}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 15:15:35
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\Alex\AppData\Local\Temp\rmhjklje.dll
-> C:\Users\Alex\AppData\Local\Temp\rqomn.dll
.
Completion time: 2008-02-18 15:17:52
.
2008-02-16 15:16:12	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:29 PM, on 2/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Alex\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Alex.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter 
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Alex\AppData\Local\Temp\nnnol.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Alex\AppData\Local\Temp\rqomn.dll,c
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\Users\Alex\AppData\Local\Temp\rsjvnwxq.dll",run
O4 - HKCU\..\Run: [147fba20] rundll32.exe "C:\Users\Alex\AppData\Local\Temp\wllsamqo.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10680 bytes


----------



## Parenthesis (Feb 10, 2008)

Hi Jst...

I just noticed I posted log.txt, not combofix.txt...

I do not see a combofix.txt, is the name just different but it is in fact the same file?

Best,
Alex


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Parenthesis* 

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\Users\Alex\AppData\Local\Temp\rqomn.dll
> C:\Users\Alex\AppData\Local\Temp\rmhjklje.dll
> C:\Users\Alex\AppData\Local\Temp\wllsamqo.dll
> ...












Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report along with a fresh Hijackthis log (Need to re-scan with Hijackthis and save the report).


----------



## Parenthesis (Feb 10, 2008)

ComboFix 08-02-17.2 - Alex 2008-02-18 16:06:03.2 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.349 [GMT -5:00]
Running from: C:\Users\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Users\Alex\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Users\Alex\AppData\Local\Temp\rmhjklje.dll
C:\Users\Alex\AppData\Local\Temp\rqomn.dll
C:\Users\Alex\AppData\Local\Temp\rsjvnwxq.dll
C:\Users\Alex\AppData\Local\Temp\wllsamqo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Alex\AppData\Local\Temp\rmhjklje.dll
C:\Users\Alex\AppData\Local\Temp\rqomn.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-15 18:06 . 2008-01-10 00:50	1,244,672	--a------	C:\Windows\System32\mcmde.dll
2008-02-13 19:48 . 2008-02-13 19:48	194,560	--a------	C:\Windows\System32\WebClnt.dll
2008-02-13 19:48 . 2008-02-13 19:48	110,080	--a------	C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 19:46 . 2008-02-13 19:46	613,888	--a------	C:\Windows\System32\wpd_ci.dll
2008-02-13 19:46 . 2008-02-13 19:46	224,824	--a------	C:\Windows\System32\clfs.sys
2008-02-13 19:46 . 2008-02-13 19:46	19,456	--a------	C:\Windows\System32\cfgmgr32.dll
2008-02-13 19:41 . 2008-02-13 19:41	3,504,696	--a------	C:\Windows\System32\ntkrnlpa.exe
2008-02-13 19:41 . 2008-02-13 19:41	3,470,392	--a------	C:\Windows\System32\ntoskrnl.exe
2008-02-13 19:41 . 2008-02-13 19:41	154,624	--a------	C:\Windows\System32\drivers\nwifi.sys
2008-02-13 19:41 . 2008-02-13 19:41	109,624	--a------	C:\Windows\System32\drivers\ataport.sys
2008-02-13 19:41 . 2008-02-13 19:41	45,112	--a------	C:\Windows\System32\drivers\pciidex.sys
2008-02-13 19:41 . 2008-02-13 19:41	21,560	--a------	C:\Windows\System32\drivers\atapi.sys
2008-02-13 19:41 . 2008-02-13 19:41	15,928	--a------	C:\Windows\System32\drivers\pciide.sys
2008-02-13 19:40 . 2008-02-13 19:40	803,328	--a------	C:\Windows\System32\drivers\tcpip.sys
2008-02-13 19:40 . 2008-02-13 19:40	216,632	--a------	C:\Windows\System32\drivers\netio.sys
2008-02-13 19:40 . 2008-02-13 19:40	167,424	--a------	C:\Windows\System32\tcpipcfg.dll
2008-02-13 19:40 . 2008-02-13 19:40	24,064	--a------	C:\Windows\System32\netcfg.exe
2008-02-13 19:40 . 2008-02-13 19:40	22,016	--a------	C:\Windows\System32\netiougc.exe
2008-02-13 19:39 . 2008-02-13 19:39	4,247,552	--a------	C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 19:39 . 2008-02-13 19:39	1,686,528	--a------	C:\Windows\System32\gameux.dll
2008-02-13 18:23 . 2008-02-13 19:23 d--------	C:\Users\All Users\Spybot - Search & Destroy
2008-02-13 18:23 . 2008-02-13 19:23 d--------	C:\ProgramData\Spybot - Search & Destroy
2008-02-13 18:23 . 2008-02-13 18:23 d--------	C:\Program Files\Spybot - Search & Destroy
2008-02-12 23:06 . 2008-02-12 23:06 d--------	C:\Deckard
2008-02-12 03:09 . 2008-02-12 03:09 d--------	C:\Users\Alex\AppData\Roaming\acccore
2008-02-11 23:39 . 2008-02-11 23:39 d--------	C:\Users\All Users\Viewpoint
2008-02-11 23:39 . 2008-02-11 23:39 d--------	C:\ProgramData\Viewpoint
2008-02-11 23:39 . 2008-02-11 23:44 d--------	C:\Program Files\Viewpoint
2008-02-11 23:38 . 2008-02-12 00:19 d--------	C:\Users\All Users\AOL OCP
2008-02-11 23:38 . 2008-02-11 23:38 d--------	C:\Users\All Users\AOL
2008-02-11 23:38 . 2008-02-12 00:19 d--------	C:\ProgramData\AOL OCP
2008-02-11 23:38 . 2008-02-11 23:38 d--------	C:\ProgramData\AOL
2008-02-11 23:38 . 2008-02-11 23:38 d--------	C:\Program Files\Common Files\AOL
2008-02-11 23:34 . 2008-02-12 00:17 d--------	C:\Program Files\AIM6
2008-02-11 23:33 . 2008-02-12 00:17	433	--ah-----	C:\IPH.PH
2008-02-11 18:38 . 2008-01-12 18:32	23,904	--a------	C:\Windows\System32\drivers\COH_Mon.sys
2008-02-11 18:38 . 2008-01-15 09:54	10,537	--a------	C:\Windows\System32\drivers\COH_Mon.cat
2008-02-11 18:38 . 2008-01-15 05:28	706	--a------	C:\Windows\System32\drivers\COH_Mon.inf
2008-02-10 16:39 . 2008-02-10 16:40 d--------	C:\Users\Alex\.SunDownloadManager
2008-02-10 15:22 . 2008-02-10 15:22 d--------	C:\Users\Alex\DoctorWeb
2008-02-10 13:39 . 2008-02-10 13:39 d--------	C:\Program Files\SpywareBlaster
2008-02-10 13:39 . 2005-08-25 18:19	115,920	--a------	C:\Windows\System32\MSINET.OCX
2008-02-10 13:00 . 2008-02-10 13:00 d--------	C:\Program Files\Trend Micro
2008-02-08 13:55 . 2008-02-08 13:55 d--------	C:\Users\All Users\FLEXnet
2008-02-08 13:55 . 2008-02-08 13:55 d--------	C:\ProgramData\FLEXnet
2008-02-08 13:44 . 2008-02-08 13:44 d--------	C:\Program Files\Bonjour
2008-02-08 13:30 . 2008-02-08 13:30 d--------	C:\Program Files\Common Files\Macrovision Shared
2008-02-08 02:40 . 2008-02-18 14:48 d--------	C:\Users\Alex\AppData\Roaming\FileZilla
2008-02-08 02:38 . 2008-02-08 02:38 d--------	C:\Program Files\FileZilla FTP Client
2008-02-07 13:45 . 2008-02-08 14:13 d--------	C:\Users\Alex\AppData\Roaming\uTorrent
2008-02-07 13:45 . 2008-02-07 13:45 d--------	C:\Program Files\uTorrent
2008-02-01 20:42 . 2008-02-01 20:42 d--------	C:\Users\Alex\AppData\Roaming\DivX
2008-01-29 14:51 . 2008-01-29 14:52 d--------	C:\Program Files\DivX
2008-01-29 14:51 . 2008-01-29 14:51 d--------	C:\Program Files\Common Files\PX Storage Engine
2008-01-29 14:43 . 2008-01-29 14:43 d--------	C:\Program Files\Xvid
2008-01-27 23:54 . 2008-01-27 23:54 d--------	C:\Users\All Users\LightScribe
2008-01-27 23:54 . 2008-01-27 23:54 d--------	C:\ProgramData\LightScribe
2008-01-23 10:59 . 2008-01-23 10:59 d--------	C:\Users\Alex\AbiSuite
2008-01-22 20:41 . 2008-01-22 20:41 d--------	C:\Program Files\AbiSuite2
2008-01-22 16:36 . 2008-01-22 16:42 d--hsc---	C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 16:35 . 2008-01-22 16:43 d--------	C:\Program Files\Windows Live
2008-01-22 16:34 . 2008-01-22 16:34 d--------	C:\Users\All Users\WLInstaller
2008-01-22 16:34 . 2008-01-22 16:34 d--------	C:\ProgramData\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 05:51	---------	d-----w	C:\Program Files\PokerStars
2008-02-17 20:08	27,240	----a-w	C:\Users\Alex\AppData\Roaming\nvModes.dat
2008-02-14 04:42	---------	d-----w	C:\ProgramData\Symantec
2008-02-14 04:42	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-02-14 00:46	101,888	----a-w	C:\Windows\System32\drvinst.exe
2008-02-14 00:39	537,600	----a-w	C:\Windows\AppPatch\AcLayers.dll
2008-02-14 00:39	449,536	----a-w	C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 00:39	2,144,256	----a-w	C:\Windows\AppPatch\AcGenral.dll
2008-02-14 00:39	173,056	----a-w	C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 00:33	824,832	----a-w	C:\Windows\System32\wininet.dll
2008-02-14 00:33	56,320	----a-w	C:\Windows\System32\iesetup.dll
2008-02-14 00:33	52,736	----a-w	C:\Windows\AppPatch\iebrshim.dll
2008-02-14 00:33	26,624	----a-w	C:\Windows\System32\ieUnatt.exe
2008-02-11 23:38	---------	d-----w	C:\Program Files\Norton Internet Security
2008-02-08 20:07	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-02-08 20:06	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-02-08 18:44	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-07 18:11	---------	d-----w	C:\Users\Alex\AppData\Roaming\Hewlett-Packard
2008-01-13 21:55	---------	d-----w	C:\Users\Alex\AppData\Roaming\AVS4YOU
2008-01-13 21:55	---------	d-----w	C:\ProgramData\AVS4YOU
2008-01-13 21:54	---------	d-----w	C:\Program Files\Common Files\AVSMedia
2008-01-13 21:54	---------	d-----w	C:\Program Files\AVS4YOU
2008-01-13 06:50	---------	d-----w	C:\Program Files\Rhapsody
2008-01-09 23:09	---------	d-----w	C:\Users\Alex\AppData\Roaming\InstallShield
2008-01-09 08:39	---------	d-----w	C:\Program Files\Windows Sidebar
2008-01-09 08:39	---------	d-----w	C:\Program Files\Windows Mail
2008-01-09 08:06	211,000	----a-w	C:\Windows\system32\drivers\volsnap.sys
2008-01-09 08:06	1,060,920	----a-w	C:\Windows\system32\drivers\ntfs.sys
2008-01-09 08:05	11,776	----a-w	C:\Windows\System32\sbunattend.exe
2008-01-04 21:59	524,288	----a-w	C:\Windows\System32\DivXsm.exe
2008-01-04 21:58	3,596,288	----a-w	C:\Windows\System32\qt-dx331.dll
2008-01-04 21:58	200,704	----a-w	C:\Windows\System32\ssldivx.dll
2008-01-04 21:58	129,784	------w	C:\Windows\System32\PxAFS.DLL
2008-01-04 21:58	1,044,480	----a-w	C:\Windows\System32\libdivx.dll
2008-01-04 21:57	823,296	----a-w	C:\Windows\System32\divx_xx0c.dll
2008-01-04 21:57	823,296	----a-w	C:\Windows\System32\divx_xx07.dll
2008-01-04 21:57	81,920	----a-w	C:\Windows\System32\dpl100.dll
2008-01-04 21:57	802,816	----a-w	C:\Windows\System32\divx_xx11.dll
2008-01-04 21:57	682,496	----a-w	C:\Windows\System32\DivX.dll
2008-01-04 21:57	593,920	----a-w	C:\Windows\System32\dpuGUI11.dll
2008-01-04 21:57	57,344	----a-w	C:\Windows\System32\dpv11.dll
2008-01-04 21:57	53,248	----a-w	C:\Windows\System32\dpuGUI10.dll
2008-01-04 21:57	344,064	----a-w	C:\Windows\System32\dpus11.dll
2008-01-04 21:57	294,912	----a-w	C:\Windows\System32\dpu11.dll
2008-01-04 21:57	294,912	----a-w	C:\Windows\System32\dpu10.dll
2008-01-04 21:57	196,608	----a-w	C:\Windows\System32\dtu100.dll
2008-01-04 21:56	156,992	----a-w	C:\Windows\System32\DivXCodecVersionChecker.exe
2008-01-04 21:56	12,288	----a-w	C:\Windows\System32\DivXWMPExtType.dll
2007-12-28 01:14	805	----a-w	C:\Windows\system32\drivers\SYMEVENT.INF
2007-12-28 01:14	123,952	----a-w	C:\Windows\system32\drivers\SYMEVENT.SYS
2007-12-28 01:14	10,740	----a-w	C:\Windows\system32\drivers\SYMEVENT.CAT
2007-12-28 01:14	---------	d-----w	C:\Program Files\Symantec
2007-12-25 08:58	0	--sha-r	C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv6500 Notebook PC_Y5335KV_0U_QCNF7461T8K_E445841-003_4A_I30CF_SQuanta_V85.17_F.07_T070809_WV3-0_L409_M959_J160_7AMD_8F81_91.80_#071225_N10DE054C_(GS662UA#ABA)_XMOBILE_CN10_Z_2Rev 1.MRK
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Templates
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Start Menu
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Favorites
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Documents
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Desktop
2007-12-25 08:46	---------	d-sh--w	C:\ProgramData\Application Data
2007-12-21 14:05	---------	d-----w	C:\Users\Alex\AppData\Roaming\HP
2007-12-21 14:05	---------	d-----w	C:\Users\Alex\AppData\Roaming\CyberLink
2007-12-21 14:05	---------	d-----w	C:\ProgramData\HP
2007-12-20 18:45	---------	d-----w	C:\ProgramData\Yahoo! Companion
2007-12-20 15:28	---------	d-----w	C:\ProgramData\Hewlett-Packard
2007-12-20 04:40	174	--sha-w	C:\Program Files\desktop.ini
2007-12-20 03:45	---------	d-----w	C:\Program Files\Windows Calendar
2007-12-19 22:12	87,040	----a-w	C:\Windows\System32\msoert2.dll
2007-12-19 22:12	704,000	----a-w	C:\Windows\System32\PhotoScreensaver.scr
2007-12-19 22:12	39,424	----a-w	C:\Windows\System32\ACCTRES.dll
2007-12-19 22:12	205,824	----a-w	C:\Windows\System32\msoeacct.dll
2007-12-19 22:09	8,147,968	----a-w	C:\Windows\System32\wmploc.DLL
2007-12-19 22:09	7,680	----a-w	C:\Windows\System32\spwmp.dll
2007-12-19 22:09	4,096	----a-w	C:\Windows\System32\dxmasf.dll
2007-12-19 22:09	356,864	----a-w	C:\Windows\System32\MediaMetadataHandler.dll
2007-12-19 22:08	86,016	----a-w	C:\Windows\System32\icfupgd.dll
2007-12-19 22:08	63,488	----a-w	C:\Windows\system32\drivers\mpsdrv.sys
2007-12-19 22:08	61,952	----a-w	C:\Windows\System32\cmifw.dll
2007-12-19 22:08	396,800	----a-w	C:\Windows\System32\MPSSVC.dll
2007-12-19 22:08	392,192	----a-w	C:\Windows\System32\FirewallAPI.dll
2007-12-19 22:08	23,040	----a-w	C:\Windows\system32\drivers\tunnel.sys
2007-12-19 22:08	178,688	----a-w	C:\Windows\System32\iphlpsvc.dll
2007-12-19 22:08	16,896	----a-w	C:\Windows\System32\wfapigp.dll
2007-12-19 22:08	15,360	----a-w	C:\Windows\system32\drivers\TUNMP.SYS
2007-12-19 22:07	1,191,936	----a-w	C:\Windows\System32\msxml3.dll
2007-12-19 22:06	8,704	----a-w	C:\Windows\System32\hcrstco.dll
2007-12-19 22:06	8,704	----a-w	C:\Windows\System32\hccoin.dll
2007-12-19 22:06	5,888	----a-w	C:\Windows\system32\drivers\usbd.sys
2007-12-19 22:06	38,400	----a-w	C:\Windows\system32\drivers\usbehci.sys
2007-12-19 22:06	224,768	----a-w	C:\Windows\system32\drivers\usbport.sys
2007-12-19 22:06	193,536	----a-w	C:\Windows\system32\drivers\usbhub.sys
2007-12-19 22:06	19,456	----a-w	C:\Windows\system32\drivers\usbohci.sys
2007-12-19 22:05	1,327,104	----a-w	C:\Windows\System32\quartz.dll
2007-12-19 22:04	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL
2007-12-19 22:04	82,432	----a-w	C:\Windows\system32\drivers\sdbus.sys
2007-12-19 22:04	223,232	----a-w	C:\Windows\System32\WMASF.DLL
2007-12-19 22:03	57,856	----a-w	C:\Windows\System32\SLUINotify.dll
2007-12-19 22:03	566,784	----a-w	C:\Windows\System32\SLCommDlg.dll
2007-12-19 22:03	39,936	----a-w	C:\Windows\System32\slcinst.dll
2007-12-19 22:03	351,232	----a-w	C:\Windows\System32\SLUI.exe
2007-12-19 22:03	33,280	----a-w	C:\Windows\System32\slwmi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 07:34 2159104 C:\Windows\System32\oobefldr.dll]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:35 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-04 04:57 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 22:36 827392]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 20:11 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 13:38 159744]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-08 21:57 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-08 21:57 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-08 21:57 81920]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 15:18 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 18:12 317128]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-04 06:36 77824]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 04:45 222208]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 03:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 02:01:50 734872]
Vongo Tray.lnk - C:\Windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 06:09:25 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-03-20 17:23 1773568 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-04-19 15:26 484904 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080122.002\IDSvix86.sys [2007-12-04 17:51]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 11:44]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 18:50]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-01-03 10:43]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 03:12:38 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Alex.job"
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-02-18 20:31:24 C:\Windows\Tasks\User_Feed_Synchronization-{6399A787-DD9E-4E4D-A9EE-22D31430730D}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 16:11:53
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 16:13:47
ComboFix-quarantined-files.txt 2008-02-18 21:13:43
ComboFix2.txt 2008-02-18 20:17:53
.
2008-02-16 15:16:12	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:52 PM, on 2/18/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter 
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9892 bytes


----------



## JSntgRvr (Jul 1, 2003)

Lets scan for remnants:

Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*


----------



## Parenthesis (Feb 10, 2008)

It didn't say to restart but I am doing it now anyway 


Malwarebytes' Anti-Malware 1.03
Database version: 374

Scan type: Quick Scan
Objects scanned: 23003
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## JSntgRvr (Jul 1, 2003)

How is the computer doing?


----------



## Parenthesis (Feb 10, 2008)

It seems all cleared up! When I rebooted none of the windows popped up. None of the problem I mentioned exist. So far so good 

What do you think?


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Parenthesis*. 

All clear, congratulations.










Click on the Vista logo (used to be the "Start" button).
In the "*Start Search*" box type *Combofix /u*. Note the space between the X and the /U, it needs to be there.
Do NOT hit ENTER. Instead hit* CTRL+SHIFT+ENTER*.
If the disclaimer notice is displayed, select "*2*" and press Enter
The above procedure will:
 Delete the following:
 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:\Deckard folder, if present
 The C:_OtMoveIt folder, if present

 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Set a new, clean Restore Point.
*Create a Restore point*: (Windows Vista)

Open up the Start Menu and right-click on "Computer", and then select "Properties".
This will take you into the System area of Control Panel. Click on the "Advanced system settings" on the left hand side.
Now select the "System Protection" tab to get to the System Restore section.
Click the "Create" button to create a new restore point. You'll be prompted for a name, and you might want to give it a useful name that you'll be able to easily identify later.
Click the Create button, and then the system will create the restore point.
When it's all finished, you'll get a message saying it's completed successfully.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

*SpywareBlaster* - Great prevention tool to keep nasties from installing on your system.

*ZonedOut + IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*Windows Updates* - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## Parenthesis (Feb 10, 2008)

It's a beautiful thing! Thanks a lot.


----------



## JSntgRvr (Jul 1, 2003)

You are Welcome!


----------

