# Solved: Back, this time with Virtumonde.sci nibbling at my toes!



## Dantesgirl (Sep 26, 2008)

God, you people must be sick of me. 

A few days ago, I ran some routine scans and found that Spybot S&D has detected Virtumonde.sci. Ever since, I've been trying to get rid of it, but to no avail.

Luckily, the only thing I've noticed it has done is consume CPU Usage - I'm using FireFox and so far, there have been no pop-ups.

*For the sake of convenience, here is a list of things I have done to try and remove this nasty bug:
*+ Deleted suspicious looking files myself with HijackThis - didn't work, Virtumonde has a DLL file which relaunches these files upon reboot.
+ Scanned with Ad-Aware - nothing found.
+ Scanned with MalwareBytes (usually very reliable) - nothing found.
+ Scanned with Spyware Doctor (also usually very reliable) - nothing found.
+ Scanned with Spybot S&D - the only scanner that identified Virtumonde.sci, but cannot permanently remove due to that pesky DLL file. 
+ Scanned with VundoFix - nothing found.
+ Scanned with Symantec's Virtumonde Removal Tool - received C++ error upon scanning, Task Manager couldn't end it so I had to log off. (A sign maybe?)
+ Scanned with Spybot S&D during Safe Mode - found Virtumonde.sci again, but still couldn't permanently remove it.
+ Scanned with Ad-Aware during Safe Mode - nothing found.
+ Scanned with MalwareBytes during Safe Mode - nothing found.
+ Scanned with Spyware Doctor during Safe Mode - nothing found.

I haven't tried ComboFix.exe just yet because I would very much prefer to be guided on its use by a professiona. Some of the warnings it carries has put me off using it independently, so I thought I'd come and bug you nice people. 

As you can tell from my list, I'm pretty frustrated and feel that I've run out of options. Below is my recent HijackThis log and a start-up list, I hope this helps.

*Again, for the sake of convenience, here are the two files that I tried to remove using HijackThis as they looked suspicious:
*O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {A6984C00-C6EB-11D4-B4A4-080000180323} - (no file)*

Please note:
*'O2 - BHO: (no name) - {A6984C00-C6EB-11D4-B4A4-080000180323} - (no file)' Didn't appear until *after* I tried to remove Virtumonde.sci with Spybot S&D during Safe Mode, is there a particular reason for this?

Help is very much appreciated, thank you.


----------



## Dantesgirl (Sep 26, 2008)

I've waited two days and nothing, can nobody help me out?

Fresh log attached.

ANOTHER EDIT: Finally read some guides and did a Combofix scan, the results are attached.


----------



## Dantesgirl (Sep 26, 2008)

What do I have to do to get a response? I'm really frustrated here! 

ANOTHER fresh log, hopefully 3rd time'll be the charm.


----------



## Dantesgirl (Sep 26, 2008)

Bump.


----------



## Dantesgirl (Sep 26, 2008)

Bump.


----------



## Cookiegal (Aug 27, 2003)

Please do not attach the logs unless it's necessary because they are too big to fit in one post or you've been instructed to.

Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Stock Photos 1.0
AIM 6
AppCore
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Belkin Wireless G Plus MIMO USB Network Adapter
Bonjour
ccCommon
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Component Framework
Conexant HD Audio
CyberLink DVD Suite
CyberLink YouCam
CyberLink YouCam
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Google Updater
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Easy Setup - Frontend
HP Help and Support
HP Quick Launch Buttons 6.40 D3
HP Total Care Advisor
HP Update
HP User Guides 0110
HP Wireless Assistant
HPNetworkAssistant
InterVideo DeviceService
iTunes
Java(TM) 6 Update 4
Java(TM) 6 Update 7
LabelPrint
LightScribe System Software 1.14.25.1
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
muvee autoProducer 6.1
My HP Games
NetWaiting
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
OpenOffice.org 2.4
Pen Tablet
Power2Go
PowerDirector
QuickPlay SlingPlayer 0.4.6
QuickTime
Rapidown 5.9 SE - http://www.rapidown.com
Realtek USB 2.0 Card Reader
Skype 3.6
SPBBC 32bit
Spybot - Search & Destroy
Spyware Doctor 6.0
Symantec Real Time Storage Protection Component
Synaptics Pointing Device Driver
System Requirements Lab
Ulead VideoStudio 11
Uniblue RegistryBooster 2009
Uniblue RegistryBooster 2009
VeohTV BETA
Viewpoint Media Player
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinRAR archiver
WinZip 12.0
World of Warcraft


----------



## Cookiegal (Aug 27, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:43, on 10/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Rapidown\rapidown.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\Geek.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {A6984C00-C6EB-11D4-B4A4-080000180323} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Rapidown.lnk = C:\Program Files\Rapidown\rapidown.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\rapidownGetAll.htm
O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\rapidownGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\rapidown.exe
O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\rapidown.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13614 bytes


----------



## Cookiegal (Aug 27, 2003)

ComboFix 08-10-08.05 - Natalie 2008-10-10 1:03:00.2 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.857 [GMT 1:00]
Running from: C:\Users\Natalie\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-08 19:33 . 2008-10-08 19:33 d--------	C:\Windows\Noslip
2008-10-08 19:33 . 2008-10-08 19:34	296	--a------	C:\Windows\ULEAD32.INI
2008-10-07 21:54 . 2008-10-07 21:54 d--------	C:\Users\Natalie\AppData\Roaming\Uniblue
2008-10-07 21:54 . 2008-10-07 21:54 d--h-c---	C:\Users\All Users\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-07 21:54 . 2008-10-07 21:54 d--h-c---	C:\ProgramData\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-05 18:03 . 2008-10-08 01:28 d--------	C:\Program Files\BHODemon 2
2008-10-05 17:41 . 2008-10-05 17:41 d--------	C:\VundoFix Backups
2008-10-05 17:08 . 2008-10-05 17:08 d--------	C:\WTablet
2008-10-04 20:19 . 2008-10-04 20:19 d--------	C:\Program Files\Elaborate Bytes
2008-10-04 00:08 . 2008-10-04 00:08 d--------	C:\Program Files\Alcohol Soft
2008-10-03 19:44 . 2008-10-03 19:44	716,272	--a------	C:\Windows\System32\drivers\sptd.sys
2008-10-01 00:05 . 2008-10-09 16:33 d--------	C:\Users\Natalie\AppData\Roaming\OpenOffice.org2
2008-10-01 00:01 . 2008-10-01 00:01 d--------	C:\Program Files\OpenOffice.org 2.4
2008-09-30 17:56 . 2008-10-08 01:28 d--------	C:\Program Files\Rapidown
2008-09-30 05:52 . 2008-09-30 05:52 d--------	C:\Users\Natalie\AppData\Roaming\WildTangent
2008-09-29 21:30 . 2008-09-29 21:30 d--------	C:\Program Files\Common Files\Java
2008-09-29 21:09 . 2008-09-29 21:09 d--------	C:\_OTMoveIt
2008-09-27 22:13 . 2008-09-27 22:13 d--------	C:\Users\Natalie\AppData\Roaming\DivX
2008-09-27 22:13 . 2008-09-27 22:13 d--------	C:\Program Files\DivX
2008-09-27 22:13 . 2008-09-27 22:13 d--------	C:\Program Files\Common Files\PX Storage Engine
2008-09-27 02:47 . 2008-10-09 16:32 d--------	C:\Users\Natalie\AppData\Roaming\WTablet
2008-09-27 02:47 . 2008-09-27 02:47 d--------	C:\Users\All Users\AppData
2008-09-27 02:47 . 2008-09-27 02:47 d--------	C:\ProgramData\AppData
2008-09-27 02:47 . 2008-09-27 02:47 d--------	C:\Program Files\TabletPen
2008-09-27 02:47 . 2007-09-07 19:07	2,684,200	---------	C:\Windows\System32\PenTablet.cpl
2008-09-27 02:47 . 2007-09-07 19:04	1,380,680	---------	C:\Windows\System32\PenTablet.znc
2008-09-27 02:46 . 2007-02-16 01:11	11,440	--a------	C:\Windows\System32\drivers\WacomVKHid.sys
2008-09-27 02:44 . 2008-09-27 02:44 d--------	C:\Windows\System32\WTablet
2008-09-27 02:44 . 2008-09-27 02:46 d--------	C:\Program Files\Tablet
2008-09-27 02:44 . 2007-09-07 19:16	1,373,480	---------	C:\Windows\System32\Pen_Tablet.exe
2008-09-27 02:44 . 2007-09-07 18:55	181,544	---------	C:\Windows\System32\Wintab32.dll
2008-09-27 02:44 . 2007-09-07 19:09	128,296	---------	C:\Windows\System32\Pen_Tablet.dll
2008-09-27 02:44 . 2007-02-16 19:30	12,848	--a------	C:\Windows\System32\drivers\wacomvhid.sys
2008-09-27 02:44 . 2007-02-16 20:12	11,312	--a------	C:\Windows\System32\drivers\wacommousefilter.sys
2008-09-27 01:07 . 2008-09-27 01:07 d--------	C:\Program Files\Activision
2008-09-27 00:41 . 2008-09-27 00:41 d--------	C:\Users\Guest\AppData\Roaming\Ulead Systems
2008-09-27 00:39 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Searches
2008-09-27 00:39 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Contacts
2008-09-27 00:39 . 2008-09-27 00:39 d--------	C:\Users\Guest\AppData\Roaming\Symantec
2008-09-27 00:38 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Videos
2008-09-27 00:38 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Saved Games
2008-09-27 00:38 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Pictures
2008-09-27 00:38 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Music
2008-09-27 00:38 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Links
2008-09-27 00:38 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Downloads
2008-09-27 00:38 . 2008-09-27 00:39 dr-------	C:\Users\Guest\Documents
2008-09-27 00:38 . 2006-11-02 13:37 d--------	C:\Users\Guest\AppData\Roaming\Media Center Programs
2008-09-27 00:38 . 2008-09-27 00:39 d--h-----	C:\Users\Guest\AppData
2008-09-27 00:38 . 2008-10-08 01:28 d--------	C:\Users\Guest
2008-09-26 17:30 . 2008-09-27 00:41 d--------	C:\Program Files\World of Warcraft
2008-09-26 17:30 . 2008-09-26 17:31 d--------	C:\Program Files\Common Files\Blizzard Entertainment
2008-09-26 03:20 . 2008-09-26 03:20 d--------	C:\Program Files\Trend Micro
2008-09-26 02:47 . 2008-09-26 02:47 d--------	C:\Users\Natalie\AppData\Roaming\Malwarebytes
2008-09-26 02:47 . 2008-09-26 02:47 d--------	C:\Users\All Users\Malwarebytes
2008-09-26 02:47 . 2008-09-26 02:47 d--------	C:\ProgramData\Malwarebytes
2008-09-26 02:47 . 2008-09-29 02:08 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 02:47 . 2008-09-10 00:04	38,528	--a------	C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-26 02:47 . 2008-09-10 00:03	17,200	--a------	C:\Windows\System32\drivers\mbam.sys
2008-09-26 02:31 . 2008-09-26 02:31 d--------	C:\Users\All Users\SUPERAntiSpyware.com
2008-09-26 02:31 . 2008-09-26 02:31 d--------	C:\ProgramData\SUPERAntiSpyware.com
2008-09-26 02:30 . 2008-09-26 16:16 d--------	C:\Program Files\SUPERAntiSpyware
2008-09-26 02:19 . 2008-09-26 02:22 d--------	C:\Users\All Users\Spybot - Search & Destroy
2008-09-26 02:19 . 2008-09-26 02:22 d--------	C:\ProgramData\Spybot - Search & Destroy
2008-09-26 02:19 . 2008-09-26 02:19 d--------	C:\Program Files\Spybot - Search & Destroy
2008-09-26 01:13 . 2008-10-09 16:57 d--------	C:\Program Files\Spyware Doctor
2008-09-26 01:13 . 2008-06-10 21:22	81,288	--a------	C:\Windows\System32\drivers\iksyssec.sys
2008-09-26 01:13 . 2008-06-02 15:19	66,952	--a------	C:\Windows\System32\drivers\iksysflt.sys
2008-09-26 01:13 . 2008-06-02 15:19	42,376	--a------	C:\Windows\System32\drivers\ikfilesec.sys
2008-09-26 01:13 . 2008-06-02 15:19	29,576	--a------	C:\Windows\System32\drivers\kcom.sys
2008-09-26 01:05 . 2008-10-09 18:08 d--------	C:\Users\All Users\Google Updater
2008-09-26 01:05 . 2008-10-09 18:08 d--------	C:\ProgramData\Google Updater
2008-09-26 01:05 . 2008-09-26 01:05 d--------	C:\Program Files\Google
2008-09-26 00:48 . 2005-09-23 07:29	626,688	--a------	C:\Windows\System32\msvcr80.dll
2008-09-26 00:27 . 2008-09-26 00:27 d--------	C:\Users\Natalie\AppData\Roaming\PC Tools
2008-09-26 00:27 . 2008-10-10 01:01 d-a------	C:\Users\All Users\TEMP
2008-09-26 00:27 . 2008-10-10 01:01 d-a------	C:\ProgramData\TEMP
2008-09-25 23:32 . 2008-09-25 23:53 d--------	C:\Users\Natalie\AppData\Roaming\Ulead Systems
2008-09-25 23:30 . 2008-09-25 23:30 d--------	C:\Users\All Users\InterVideo
2008-09-25 23:30 . 2008-09-25 23:30 d--------	C:\ProgramData\InterVideo
2008-09-25 23:30 . 2008-09-25 23:30 d--------	C:\Program Files\Common Files\InterVideo
2008-09-25 23:30 . 2007-03-06 11:58	210,456	--a------	C:\Windows\System32\IVIresizeW7.dll
2008-09-25 23:30 . 2007-03-06 11:58	206,360	--a------	C:\Windows\System32\IVIresizeA6.dll
2008-09-25 23:30 . 2007-03-06 11:58	198,168	--a------	C:\Windows\System32\IVIresizeP6.dll
2008-09-25 23:30 . 2007-03-06 11:58	198,168	--a------	C:\Windows\System32\IVIresizeM6.dll
2008-09-25 23:30 . 2007-03-06 11:58	194,072	--a------	C:\Windows\System32\IVIresizePX.dll
2008-09-25 23:30 . 2007-03-06 11:58	26,136	--a------	C:\Windows\System32\IVIresize.dll
2008-09-25 23:29 . 2008-09-25 23:29 d--------	C:\Program Files\Windows Media Components
2008-09-25 23:27 . 2008-10-08 01:28 d--------	C:\Users\All Users\Ulead Systems
2008-09-25 23:27 . 2008-10-08 01:28 d--------	C:\ProgramData\Ulead Systems
2008-09-25 23:27 . 2008-09-25 23:29 d--------	C:\Program Files\Common Files\Ulead Systems
2008-09-25 23:25 . 2008-10-08 19:33 d--------	C:\Program Files\Ulead Systems
2008-09-25 23:09 . 2005-11-24 12:51	245,248	--a------	C:\Windows\System32\drivers\rt73.sys
2008-09-25 23:08 . 2008-09-25 23:08 d--------	C:\Program Files\Belkin
2008-09-25 23:08 . 2004-04-30 15:12	40,960	--a------	C:\Windows\System32\F5D9050.dll
2008-09-25 19:08 . 2008-09-25 19:08 d--------	C:\Users\All Users\Windows Genuine Advantage
2008-09-25 02:13 . 2008-09-25 02:13 d--------	C:\Users\All Users\Office Genuine Advantage
2008-09-25 02:13 . 2008-09-25 02:13 d--------	C:\ProgramData\Office Genuine Advantage
2008-09-24 23:50 . 2008-10-03 17:36 d--------	C:\Users\Natalie\dwhelper
2008-09-24 22:36 . 2008-09-24 22:36 d--------	C:\Program Files\Common Files\LightScribe
2008-09-24 22:30 . 2008-09-24 22:30 d--------	C:\Users\All Users\LightScribe
2008-09-24 22:30 . 2008-09-24 22:30 d--------	C:\ProgramData\LightScribe
2008-09-24 21:27 . 2008-09-24 21:56 d--------	C:\Temp
2008-09-24 20:37 . 2008-07-12 13:30	47	--a------	C:\Windows\System32\readme.bat
2008-09-24 19:31 . 2008-09-24 19:33 d--------	C:\Users\All Users\Lavasoft
2008-09-24 19:31 . 2008-09-24 19:33 d--------	C:\ProgramData\Lavasoft
2008-09-24 19:31 . 2008-09-24 19:31 d--------	C:\Program Files\Lavasoft
2008-09-24 19:30 . 2008-09-26 16:16 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-09-24 19:27 . 2008-09-24 19:27 d--------	C:\Users\All Users\Adobe Systems
2008-09-24 19:27 . 2008-09-24 19:27 d--------	C:\ProgramData\Adobe Systems
2008-09-24 19:23 . 2008-09-24 19:23 d--------	C:\Program Files\Common Files\Adobe Systems Shared
2008-09-24 02:44 . 2008-09-24 02:44 d--------	C:\Users\All Users\FLEXnet
2008-09-24 02:44 . 2008-09-24 02:44 d--------	C:\ProgramData\FLEXnet
2008-09-24 02:06 . 2008-09-24 02:06 d--------	C:\Users\All Users\Messenger Plus!
2008-09-24 02:06 . 2008-09-24 02:06 d--------	C:\ProgramData\Messenger Plus!
2008-09-24 00:52 . 2008-09-24 00:52 d--------	C:\Users\Natalie\AppData\Roaming\Template
2008-09-24 00:52 . 2008-10-02 00:19	702	--a------	C:\Users\Natalie\AppData\Roaming\wklnhst.dat
2008-09-23 23:34 . 2008-09-23 23:34 d--------	C:\Program Files\Veoh Networks
2008-09-23 21:05 . 2008-09-24 00:48 d--------	C:\Users\Natalie\AppData\Roaming\Azureus
2008-09-23 21:05 . 2008-09-23 21:05 d--------	C:\Users\All Users\Azureus
2008-09-23 21:05 . 2008-09-23 21:05 d--------	C:\ProgramData\Azureus
2008-09-23 20:36 . 2008-09-23 20:36 d--------	C:\Users\Natalie\AppData\Roaming\SystemRequirementsLab
2008-09-23 20:36 . 2008-09-23 20:36 d--------	C:\Program Files\SystemRequirementsLab
2008-09-23 20:35 . 2008-09-23 20:35 d--------	C:\Windows\Sun
2008-09-23 19:49 . 2008-09-23 20:13 d--------	C:\Users\Natalie\AppData\Roaming\CyberLink
2008-09-23 19:44 . 2008-09-23 19:44 d----c---	C:\Windows\System32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 15:32	56,957	----a-w	C:\Users\All Users\nvModes.dat
2008-10-09 15:32	56,957	----a-w	C:\ProgramData\nvModes.dat
2008-10-08 18:33	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-09-30 23:00	---------	d-----w	C:\Program Files\Java
2008-09-30 17:11	---------	d-----w	C:\ProgramData\Microsoft Help
2008-09-30 04:54	---------	d-----w	C:\ProgramData\WildTangent
2008-09-26 16:43	805	----a-w	C:\Windows\system32\drivers\SYMEVENT.INF
2008-09-26 16:43	123,952	----a-w	C:\Windows\system32\drivers\SYMEVENT.SYS
2008-09-26 16:43	10,671	----a-w	C:\Windows\system32\drivers\SYMEVENT.CAT
2008-09-26 16:43	---------	d-----w	C:\Program Files\Symantec
2008-09-26 16:38	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-09-26 15:30	---------	d-----w	C:\ProgramData\Symantec
2008-09-24 18:23	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-09-23 17:28	---------	d-----w	C:\ProgramData\CyberLink
2008-09-23 15:35	---------	d-----w	C:\Program Files\Windows Mail
2008-09-16 00:12	81,920	----a-w	C:\Windows\System32\dpl100.dll
2008-09-16 00:12	593,920	----a-w	C:\Windows\System32\dpuGUI11.dll
2008-09-16 00:12	57,344	----a-w	C:\Windows\System32\dpv11.dll
2008-09-16 00:12	53,248	----a-w	C:\Windows\System32\dpuGUI10.dll
2008-09-16 00:12	344,064	----a-w	C:\Windows\System32\dpus11.dll
2008-09-16 00:12	294,912	----a-w	C:\Windows\System32\dpu11.dll
2008-09-16 00:12	294,912	----a-w	C:\Windows\System32\dpu10.dll
2008-09-16 00:12	200,704	----a-w	C:\Windows\System32\ssldivx.dll
2008-09-16 00:12	196,608	----a-w	C:\Windows\System32\dtu100.dll
2008-09-16 00:12	1,044,480	----a-w	C:\Windows\System32\libdivx.dll
2008-08-29 09:18	87,336	----a-w	C:\Windows\System32\dns-sd.exe
2008-08-29 08:53	61,440	----a-w	C:\Windows\System32\dnssd.dll
2008-07-31 03:32	460,288	----a-w	C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32	28,160	----a-w	C:\Windows\System32\Apphlpdm.dll
2008-07-31 03:32	2,154,496	----a-w	C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32	173,056	----a-w	C:\Windows\AppPatch\AcXtrnal.dll
2008-07-31 01:13	4,240,384	----a-w	C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-21 02:43	174	--sha-w	C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-03 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-03 92704]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2008-04-02 468264]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-07 51048]
"QlbCtrl.exe"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 946176]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
Rapidown.lnk - C:\Program Files\Rapidown\rapidown.exe [2008-09-30 1044992]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-09-11 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{73DCAADE-7627-4A60-8086-FF24BB17F1EB}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{2F027587-83B6-45B1-BB62-3CA8EF66ABBA}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{D0C40AC4-6AEC-4CB1-8E4D-BB41A513DE82}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8D7A5FAD-4221-4887-8932-355D9ED791D9}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3137D307-CCAE-4112-94B6-5641398A88CB}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{42B90F95-FF38-4ACE-ABDC-64E89E5BEAFF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{902A2ADF-D21B-403B-AD1B-BE1839E3A278}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{40307A1A-8E93-426F-BA00-99DD6600A1D4}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{6AB25FE0-88B1-4987-97FA-C54343C65C94}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9A7ADBC0-94A4-4929-B78F-E9C5FD8E7195}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081003.001\IDSvix86.sys [2008-09-12 270384]
R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-07 149864]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Windows\SMINST\BLService.exe [2008-04-26 361808]
R2 TabletServicePen;TabletServicePen;C:\Windows\system32\Pen_Tablet.exe [2007-09-07 1373480]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-04-17 203776]
R3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]
R3 RTSTOR;Realtek USB 2.0 Card Reader;C:\Windows\system32\drivers\RTSTOR.SYS [2008-04-22 62976]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\Windows\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\Windows\system32\DRIVERS\wacomvhid.sys [2007-02-16 12848]
R3 WacomVKHid;Virtual Keyboard Driver;C:\Windows\system32\DRIVERS\WacomVKHid.sys [2007-02-16 11440]
S3 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2007-07-24 181800]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-09-23 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Natalie.job
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 13:05]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Natalie\AppData\Roaming\Mozilla\Firefox\Profiles\fcgbzlxs.default\
FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1334.1308\npCIDetect13.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 01:10:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-10 1:12:37
ComboFix-quarantined-files.txt 2008-10-10 00:12:28
ComboFix2.txt 2008-10-09 23:58:58

Pre-Run: 118,462,205,952 bytes free
Post-Run: 118,431,547,392 bytes free

293	--- E O F ---	2008-10-02 16:55:37


----------



## Cookiegal (Aug 27, 2003)

Would you also please post the log from the first run of ComboFix. It will be named ComboFix2.txt.


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*Java(TM) 6 Update 4
Viewpoint Media Player*

Read here about Rapidown. I recommend uninstalling it but it's up to you:

Rapidown
http://www.systemlookup.com/CLSID/488-rapi310_dll.html

Delete these two folders:

Folder::
C:\Users\Natalie\AppData\Roaming\*WildTangent*
C:\ProgramData\*WildTangent*

After doing the above, reboot and post a new HijackThis log please.


----------



## Dantesgirl (Sep 26, 2008)

Thanks for the reply.

I did everything you said, but I already uninstalled Rapidown yesterday as it was quite a nuisance. I have my desktop icons set up in a particular order and upon start-up, Rapidown would automatically run and create a new desktop icon, something that annoyed me. Also, when I went to uninstall it via Control Panel, it would just start up again. It took me around a week to figure out how to uninstall it - through the program's own 'options' menu.

I've searched my computer and I can't find the second ComboFix log, sorry. I thought it just brought up a list of items on your computer like HijackThis, I didn't think it automatically fixed some things.

Here's the fresh HJT log as requested:

--
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47:39, on 13/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\Geek.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13223 bytes


----------



## Cookiegal (Aug 27, 2003)

I'm sorry, I should have been more specific. You should find the ComboFix log in this location:

*C:\qoobox\ComboFix2.txt *


----------



## Dantesgirl (Sep 26, 2008)

Found it, I just checked in C:\

Here's the first ComboFix log:

--
ComboFix 08-10-08.05 - Natalie 2008-10-10 0:48:01.1 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.918 [GMT 1:00]
Running from: C:\Users\Natalie\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-08 19:33 . 2008-10-08 19:33 d-------- C:\Windows\Noslip
2008-10-08 19:33 . 2008-10-08 19:34 296 --a------ C:\Windows\ULEAD32.INI
2008-10-07 21:54 . 2008-10-07 21:54 d-------- C:\Users\Natalie\AppData\Roaming\Uniblue
2008-10-07 21:54 . 2008-10-07 21:54 d--h-c--- C:\Users\All Users\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-07 21:54 . 2008-10-07 21:54 d--h-c--- C:\ProgramData\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-05 18:03 . 2008-10-08 01:28 d-------- C:\Program Files\BHODemon 2
2008-10-05 17:41 . 2008-10-05 17:41 d-------- C:\VundoFix Backups
2008-10-05 17:08 . 2008-10-05 17:08 d-------- C:\WTablet
2008-10-04 20:19 . 2008-10-04 20:19 d-------- C:\Program Files\Elaborate Bytes
2008-10-04 00:08 . 2008-10-04 00:08 d-------- C:\Program Files\Alcohol Soft
2008-10-03 19:44 . 2008-10-03 19:44 716,272 --a------ C:\Windows\System32\drivers\sptd.sys
2008-10-01 00:05 . 2008-10-09 16:33 d-------- C:\Users\Natalie\AppData\Roaming\OpenOffice.org2
2008-10-01 00:01 . 2008-10-01 00:01 d-------- C:\Program Files\OpenOffice.org 2.4
2008-09-30 17:56 . 2008-10-08 01:28 d-------- C:\Program Files\Rapidown
2008-09-30 05:52 . 2008-09-30 05:52 d-------- C:\Users\Natalie\AppData\Roaming\WildTangent
2008-09-29 21:30 . 2008-09-29 21:30 d-------- C:\Program Files\Common Files\Java
2008-09-29 21:09 . 2008-09-29 21:09 d-------- C:\_OTMoveIt
2008-09-27 22:13 . 2008-09-27 22:13 d-------- C:\Users\Natalie\AppData\Roaming\DivX
2008-09-27 22:13 . 2008-09-27 22:13 d-------- C:\Program Files\DivX
2008-09-27 22:13 . 2008-09-27 22:13 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-09-27 02:47 . 2008-10-09 16:32 d-------- C:\Users\Natalie\AppData\Roaming\WTablet
2008-09-27 02:47 . 2008-09-27 02:47 d-------- C:\Users\All Users\AppData
2008-09-27 02:47 . 2008-09-27 02:47 d-------- C:\ProgramData\AppData
2008-09-27 02:47 . 2008-09-27 02:47 d-------- C:\Program Files\TabletPen
2008-09-27 02:47 . 2007-09-07 19:07 2,684,200 --------- C:\Windows\System32\PenTablet.cpl
2008-09-27 02:47 . 2007-09-07 19:04 1,380,680  --------- C:\Windows\System32\PenTablet.znc
2008-09-27 02:46 . 2007-02-16 01:11 11,440 --a------ C:\Windows\System32\drivers\WacomVKHid.sys
2008-09-27 02:44 . 2008-09-27 02:44 d-------- C:\Windows\System32\WTablet
2008-09-27 02:44 . 2008-09-27 02:46 d-------- C:\Program Files\Tablet
2008-09-27 02:44 . 2007-09-07 19:16 1,373,480 --------- C:\Windows\System32\Pen_Tablet.exe
2008-09-27 02:44 . 2007-09-07 18:55 181,544 --------- C:\Windows\System32\Wintab32.dll
2008-09-27 02:44 . 2007-09-07 19:09 128,296 --------- C:\Windows\System32\Pen_Tablet.dll
2008-09-27 02:44 . 2007-02-16 19:30 12,848 --a------ C:\Windows\System32\drivers\wacomvhid.sys
2008-09-27 02:44 . 2007-02-16 20:12 11,312 --a------ C:\Windows\System32\drivers\wacommousefilter.sys
2008-09-27 01:07 . 2008-09-27 01:07 d-------- C:\Program Files\Activision
2008-09-27 00:41 . 2008-09-27 00:41 d-------- C:\Users\Guest\AppData\Roaming\Ulead Systems
2008-09-27 00:39 . 2008-09-27 00:39 dr------- C:\Users\Guest\Searches
2008-09-27 00:39 . 2008-09-27 00:39 dr------- C:\Users\Guest\Contacts
2008-09-27 00:39 . 2008-09-27 00:39 d-------- C:\Users\Guest\AppData\Roaming\Symantec
2008-09-27 00:38 . 2008-09-27 00:39 dr------- C:\Users\Guest\Videos
2008-09-27 00:38 . 2008-09-27 00:39 dr------- C:\Users\Guest\Saved Games
2008-09-27 00:38 . 2008-09-27 00:39 dr------- C:\Users\Guest\Pictures
2008-09-27 00:38 . 2008-09-27 00:39 dr------- C:\Users\Guest\Music
2008-09-27 00:38 . 2008-09-27 00:39 dr------- C:\Users\Guest\Links
2008-09-27 00:38 . 2008-09-27 00:39 dr------- C:\Users\Guest\Downloads
2008-09-27 00:38 . 2008-09-27 00:39 dr------- C:\Users\Guest\Documents
2008-09-27 00:38 . 2006-11-02 13:37 d-------- C:\Users\Guest\AppData\Roaming\Media Center Programs
2008-09-27 00:38 . 2008-09-27 00:39 d--h----- C:\Users\Guest\AppData
2008-09-27 00:38 . 2008-10-08 01:28 d-------- C:\Users\Guest
2008-09-26 17:30 . 2008-09-27 00:41 d-------- C:\Program Files\World of Warcraft
2008-09-26 17:30 . 2008-09-26 17:31 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-09-26 03:20 . 2008-09-26 03:20 d-------- C:\Program Files\Trend Micro
2008-09-26 02:47 . 2008-09-26 02:47 d-------- C:\Users\Natalie\AppData\Roaming\Malwarebytes
2008-09-26 02:47 . 2008-09-26 02:47 d-------- C:\Users\All Users\Malwarebytes
2008-09-26 02:47 . 2008-09-26 02:47 d-------- C:\ProgramData\Malwarebytes
2008-09-26 02:47 . 2008-09-29 02:08 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 02:47 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-26 02:47 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-26 02:31 . 2008-09-26 02:31 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-26 02:31 . 2008-09-26 02:31 d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-26 02:30 . 2008-09-26 16:16 d-------- C:\Program Files\SUPERAntiSpyware
2008-09-26 02:19 . 2008-09-26 02:22 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-09-26 02:19 . 2008-09-26 02:22 d-------- C:\ProgramData\Spybot - Search & Destroy
2008-09-26 02:19 . 2008-09-26 02:19 d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-26 01:13 . 2008-10-09 16:57 d-------- C:\Program Files\Spyware Doctor
2008-09-26 01:13 . 2008-06-10 21:22 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-09-26 01:13 . 2008-06-02 15:19 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-09-26 01:13 . 2008-06-02 15:19 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-09-26 01:13 . 2008-06-02 15:19 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-09-26 01:05 . 2008-10-09 18:08 d-------- C:\Users\All Users\Google Updater
2008-09-26 01:05 . 2008-10-09 18:08 d-------- C:\ProgramData\Google Updater
2008-09-26 01:05 . 2008-09-26 01:05 d-------- C:\Program Files\Google
2008-09-26 00:48 . 2005-09-23 07:29 626,688 --a------ C:\Windows\System32\msvcr80.dll
2008-09-26 00:27 . 2008-09-26 00:27 d-------- C:\Users\Natalie\AppData\Roaming\PC Tools
2008-09-26 00:27 . 2008-10-10 00:44 d-a------ C:\Users\All Users\TEMP
2008-09-26 00:27 . 2008-10-10 00:44 d-a------ C:\ProgramData\TEMP
2008-09-25 23:32 . 2008-09-25 23:53 d-------- C:\Users\Natalie\AppData\Roaming\Ulead Systems
2008-09-25 23:30 . 2008-09-25 23:30 d-------- C:\Users\All Users\InterVideo
2008-09-25 23:30 . 2008-09-25 23:30 d-------- C:\ProgramData\InterVideo
2008-09-25 23:30 . 2008-09-25 23:30 d-------- C:\Program Files\Common Files\InterVideo
2008-09-25 23:30 . 2007-03-06 11:58 210,456 --a------ C:\Windows\System32\IVIresizeW7.dll
2008-09-25 23:30 . 2007-03-06 11:58 206,360 --a------ C:\Windows\System32\IVIresizeA6.dll
2008-09-25 23:30 . 2007-03-06 11:58 198,168 --a------ C:\Windows\System32\IVIresizeP6.dll
2008-09-25 23:30 . 2007-03-06 11:58 198,168 --a------ C:\Windows\System32\IVIresizeM6.dll
2008-09-25 23:30 . 2007-03-06 11:58 194,072 --a------ C:\Windows\System32\IVIresizePX.dll
2008-09-25 23:30 . 2007-03-06 11:58 26,136 --a------ C:\Windows\System32\IVIresize.dll
2008-09-25 23:29 . 2008-09-25 23:29 d-------- C:\Program Files\Windows Media Components
2008-09-25 23:27 . 2008-10-08 01:28 d-------- C:\Users\All Users\Ulead Systems
2008-09-25 23:27 . 2008-10-08 01:28 d-------- C:\ProgramData\Ulead Systems
2008-09-25 23:27 . 2008-09-25 23:29 d-------- C:\Program Files\Common Files\Ulead Systems
2008-09-25 23:25 . 2008-10-08 19:33 d-------- C:\Program Files\Ulead Systems
2008-09-25 23:09 . 2005-11-24 12:51 245,248 --a------ C:\Windows\System32\drivers\rt73.sys
2008-09-25 23:08 . 2008-09-25 23:08 d-------- C:\Program Files\Belkin
2008-09-25 23:08 . 2004-04-30 15:12 40,960 --a------ C:\Windows\System32\F5D9050.dll
2008-09-25 19:08 . 2008-09-25 19:08 d-------- C:\Users\All Users\Windows Genuine Advantage
2008-09-25 02:13 . 2008-09-25 02:13 d-------- C:\Users\All Users\Office Genuine Advantage
2008-09-25 02:13 . 2008-09-25 02:13 d-------- C:\ProgramData\Office Genuine Advantage
2008-09-24 23:50 . 2008-10-03 17:36 d-------- C:\Users\Natalie\dwhelper
2008-09-24 22:36 . 2008-09-24 22:36 d-------- C:\Program Files\Common Files\LightScribe
2008-09-24 22:30 . 2008-09-24 22:30 d-------- C:\Users\All Users\LightScribe
2008-09-24 22:30 . 2008-09-24 22:30 d-------- C:\ProgramData\LightScribe
2008-09-24 21:27 . 2008-09-24 21:56 d-------- C:\Temp
2008-09-24 20:37 . 2008-07-12 13:30 47 --a------ C:\Windows\System32\readme.bat
2008-09-24 19:31 . 2008-09-24 19:33 d-------- C:\Users\All Users\Lavasoft
2008-09-24 19:31 . 2008-09-24 19:33 d-------- C:\ProgramData\Lavasoft
2008-09-24 19:31 . 2008-09-24 19:31 d-------- C:\Program Files\Lavasoft
2008-09-24 19:30 . 2008-09-26 16:16 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-24 19:27 . 2008-09-24 19:27 d-------- C:\Users\All Users\Adobe Systems
2008-09-24 19:27 . 2008-09-24 19:27 d-------- C:\ProgramData\Adobe Systems
2008-09-24 19:23 . 2008-09-24 19:23 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-09-24 02:44 . 2008-09-24 02:44 d-------- C:\Users\All Users\FLEXnet
2008-09-24 02:44 . 2008-09-24 02:44 d-------- C:\ProgramData\FLEXnet
2008-09-24 02:06 . 2008-09-24 02:06 d-------- C:\Users\All Users\Messenger Plus!
2008-09-24 02:06 . 2008-09-24 02:06 d-------- C:\ProgramData\Messenger Plus!
2008-09-24 00:52 . 2008-09-24 00:52 d-------- C:\Users\Natalie\AppData\Roaming\Template
2008-09-24 00:52 . 2008-10-02 00:19 702 --a------ C:\Users\Natalie\AppData\Roaming\wklnhst.dat
2008-09-23 23:34 . 2008-09-23 23:34 d-------- C:\Program Files\Veoh Networks
2008-09-23 21:05 . 2008-09-24 00:48 d-------- C:\Users\Natalie\AppData\Roaming\Azureus
2008-09-23 21:05 . 2008-09-23 21:05 d-------- C:\Users\All Users\Azureus
2008-09-23 21:05 . 2008-09-23 21:05 d-------- C:\ProgramData\Azureus
2008-09-23 20:36 . 2008-09-23 20:36 d-------- C:\Users\Natalie\AppData\Roaming\SystemRequirementsLab
2008-09-23 20:36 . 2008-09-23 20:36 d-------- C:\Program Files\SystemRequirementsLab
2008-09-23 20:35 . 2008-09-23 20:35 d-------- C:\Windows\Sun
2008-09-23 19:49 . 2008-09-23 20:13 d-------- C:\Users\Natalie\AppData\Roaming\CyberLink
2008-09-23 19:44 . 2008-09-23 19:44 d----c--- C:\Windows\System32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 15:32 56,957 ----a-w C:\Users\All Users\nvModes.dat
2008-10-09 15:32 56,957 ----a-w C:\ProgramData\nvModes.dat
2008-10-08 18:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-30 23:00 --------- d-----w C:\Program Files\Java
2008-09-30 17:11 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-30 04:54 --------- d-----w C:\ProgramData\WildTangent
2008-09-26 16:43 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-09-26 16:43 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-09-26 16:43 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-09-26 16:43 --------- d-----w C:\Program Files\Symantec
2008-09-26 16:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-26 15:30 --------- d-----w C:\ProgramData\Symantec
2008-09-24 18:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-23 17:28 --------- d-----w C:\ProgramData\CyberLink
2008-09-23 15:35 --------- d-----w C:\Program Files\Windows Mail
2008-09-16 00:12 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-08-29 09:18 87,336 ----a-w C:\Windows\System32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w C:\Windows\System32\dnssd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 28,160 ----a-w C:\Windows\System32\Apphlpdm.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-31 01:13 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-03 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-03 92704]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2008-04-02 468264]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-07 51048]
"QlbCtrl.exe"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

C:\Users\Natalie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 946176]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
Rapidown.lnk - C:\Program Files\Rapidown\rapidown.exe [2008-09-30 1044992]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-09-11 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{73DCAADE-7627-4A60-8086-FF24BB17F1EB}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{2F027587-83B6-45B1-BB62-3CA8EF66ABBA}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{D0C40AC4-6AEC-4CB1-8E4D-BB41A513DE82}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8D7A5FAD-4221-4887-8932-355D9ED791D9}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3137D307-CCAE-4112-94B6-5641398A88CB}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{42B90F95-FF38-4ACE-ABDC-64E89E5BEAFF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{902A2ADF-D21B-403B-AD1B-BE1839E3A278}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{40307A1A-8E93-426F-BA00-99DD6600A1D4}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{6AB25FE0-88B1-4987-97FA-C54343C65C94}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9A7ADBC0-94A4-4929-B78F-E9C5FD8E7195}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081003.001\IDSvix86.sys [2008-09-12 270384]
R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-07 149864]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Windows\SMINST\BLService.exe [2008-04-26 361808]
R2 TabletServicePen;TabletServicePen;C:\Windows\system32\Pen_Tablet.exe [2007-09-07 1373480]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-04-17 203776]
R3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]
R3 RTSTOR;Realtek USB 2.0 Card Reader;C:\Windows\system32\drivers\RTSTOR.SYS [2008-04-22 62976]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\Windows\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\Windows\system32\DRIVERS\wacomvhid.sys [2007-02-16 12848]
R3 WacomVKHid;Virtual Keyboard Driver;C:\Windows\system32\DRIVERS\WacomVKHid.sys [2007-02-16 11440]
S3 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2007-07-24 181800]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-09-23 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Natalie.job
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 13:05]
.
- - - - ORPHANS REMOVED - - - -

BHO-{140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
HKLM-Run-F5D9050 - C:\Program Files\Belkin\F5D9050\Belkinwcui.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Natalie\AppData\Roaming\Mozilla\Firefox\Profiles\fcgbzlxs.default\
FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1334.1308\npCIDetect13.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 00:56:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-10 0:58:56
ComboFix-quarantined-files.txt 2008-10-09 23:58:47

Pre-Run: 119,182,000,128 bytes free
Post-Run: 118,844,477,440 bytes free

295 --- E O F --- 2008-10-02 16:55:37


----------



## Cookiegal (Aug 27, 2003)

OK, thanks.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version (it's the fifith one down the list :

*Java Runtime Environment (JRE) 6 Update 7*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## Dantesgirl (Sep 26, 2008)

I've been doing the scan for over an hour and a half and so far it's only at 18%.

Would there be an alternative to this scan or will I have to leave the laptop on overnight? I'm very tired.

*EDIT:* Scan went from 33% to finished immediately, confusing.

Anyway, here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 14, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 14, 2008 00:28:33
Records in database: 1309715
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 150447
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:25:11

File name / Threat name / Threats count
C:\Users\Natalie\Downloads\setupxv.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyware.hx 1

The selected area was scanned.

*ANOTHER EDIT:* I just got two consecutive emails which I deleted immediately and refused to open. Here are the titles:

'Figght foreclosure'
'Don t let your lender forecclose'

Fair enough, whatever this thing is, it certainly has my details. What I want to know is that if I get rid of it, will I stop receiving these emails? Also, I've used my sister's PayPal account on this laptop, is there anyway this could compromise the account's security?


----------



## Cookiegal (Aug 27, 2003)

If there was infection without knowing the payload I'd say you would be wise to change the PayPal password and any others for logins to sites or for financial transactions.

Please check your SpyBot logs and let me know exactly what it was detecting at Virtumond.sci or post the log.


----------



## Dantesgirl (Sep 26, 2008)

As requested, here is my Spybot S&D log:

Hint of the Day: Click the bar at the right of this to see more information! ()

GrokLoader: [SBI $A8A047C2] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2323068188-3394716333-2775170901-1000\Software\Softwrap\Adtracker________

Virtumonde.sci: [SBI $B1BAF2AC] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}

DoubleClick: Tracking cookie (Internet Explorer: Natalie) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)

Adviva: Tracking cookie (Firefox: default) (Cookie, nothing done)

Adviva: Tracking cookie (Firefox: default) (Cookie, nothing done)

DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)

Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)

Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)

BlueStreak: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-09-26 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi (*)
2008-09-09 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-09-02 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-09-23 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-09-09 Includes\Malware.sbi (*)
2008-09-23 Includes\MalwareC.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-09-11 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-09-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-09-09 Includes\Spyware.sbi (*)
2008-09-23 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-09-16 Includes\Trojans.sbi (*)
2008-09-23 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Usually I remove Grokster with Spyware Doctor, but it keeps coming back.


----------



## Cookiegal (Aug 27, 2003)

The GrokLoader detecton belongs to Ulead VideoStudio so it gets recreated every time it's used.

The Virtumond.sci one is this one:

Virtumonde.sci: [SBI $B1BAF2AC] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}

It's a Browser Helper Object that no longer has a file associated with it so something must have deleted the file along the way although you said all scans showed nothing. The rest was removed by ComboFix since there was no longer a file associated with it.

You should let Spybot remove those cookies.

Please post a new HijackThis log.


----------



## Dantesgirl (Sep 26, 2008)

Sorry for the long wait, I had to do a re-scan as I accidentally closed S&D the first time round. After a reboot, here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29:49, on 14/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\Geek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13082 bytes

Also, I'd hate to be a wet blanket but Ulead VideoStudio is my main piece of video editing software and I wouldn't really like to lose it. Is Grokster just simply something that appears to be malicious (such as Spyware Doctor thinking ComboFix is a trojan) or does it pose an actual risk to my computer?


----------



## Cookiegal (Aug 27, 2003)

Sorry for the delay but I had computer problems of my own. 

The Ulead program itself is fine but it bundles adware called Adtracker. Let's search for entries in the registry.

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and double click on the file to run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

Adtracker

Copy and paste the results here please.


----------



## Dantesgirl (Sep 26, 2008)

No worries, we all know that problem. 

I downloaded the tool and searched for Adtracker, but I got this message:










Then when I clicked 'Ok', I got this message:








.

Just so you know, I had my antivirus temporarily disabled.


----------



## Cookiegal (Aug 27, 2003)

It could be that tool doesn't work on Vista. Are you comfortable going into the registry and making a change manually?


----------



## Dantesgirl (Sep 26, 2008)

I wouldn't be uncomfortable making a change since I'm under the guidance of someone who knows what they're doing. 

What would I need to do?


----------



## Cookiegal (Aug 27, 2003)

Go to Start - All Programs - Accessories then right-click Command Prompt and then point to Run as administrator. In the command prompt that opens, type regedit.exe to open the registry editor.

Now expand each of the following keys by clicking on the + that appears to their left.

HKEY_USERS
S-1-5-21-2323068188-3394716333-2775170901-1000
Software
Softwrap

When you expand the Softwrap folder, you should see another entry that looks like a folder under it but still in the left pane called Adtracker________ (I don't know for sure if it will have the underscores after the name or not). Before changing or deleting anything, just let me know if you see it there (and not in the pane on the right side).

Also, if it's there, does it have a + to the left of it to expand it further?


----------



## Dantesgirl (Sep 26, 2008)

When I located Softwrap, there was no drop-down menu, it was only that entry.


----------



## Cookiegal (Aug 27, 2003)

So that suggests it's gone. Is SpyBot still detecting it?


----------



## Dantesgirl (Sep 26, 2008)

Spyware Doctor was the only scanning software that could detect it, but then again, I haven't run VideoStudio since my last scan when it was detected and removed.

Should I run VideoStudio and then take a look at my registry?


----------



## Cookiegal (Aug 27, 2003)

Yes, please do that.


----------



## Dantesgirl (Sep 26, 2008)

Okay, I found that and it detected Adtracker. In the Adtracker folder, there's a folder called ga_main with a default and a cookie.

What should I do now?


----------



## Cookiegal (Aug 27, 2003)

I don't follow. Where are you seeing the AdTracker folder?


----------



## Dantesgirl (Sep 26, 2008)

Since explaining things has never been one of my strong points, here's a screenshot of the Adtracker folder, the folder contained within that and the contents of that folder.


----------



## Cookiegal (Aug 27, 2003)

What version of SpyBot are you running?


----------



## Dantesgirl (Sep 26, 2008)

Currently I have 1.6.0 with all the updates. Also, I have TeaTimer disabled.


----------



## Cookiegal (Aug 27, 2003)

OK, this is all I could really find on what to do about AdTracker.

http://forums.spybot.info/showthread.php?t=19834&highlight=AdTracker

Let me know if you're not comfortable doing the steps and need guidance with it.


----------



## Dantesgirl (Sep 26, 2008)

Thanks for the link, I did everything in the thread posted and loaded up VideoStudio (which, might I add, loaded faster than ever before), then closed it again. Afterwards, I did a scan with Spyware Doctor and it found nothing, so thanks a lot for helping me with that!

I don't mean to be rude (I certainly feel it right now), but can I draw your attention to the file the online scanner said was infected?

File name / Threat name / Threats count
_C:\Users\Natalie\Downloads\setupxv.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyware.hx 1_

I found the file, but when I right-clicked it and selected 'Scan with MalwareBytes', nothing happened. I don't remember downloading a file with that name and I'm a bit freaked out by it.


----------



## Cookiegal (Aug 27, 2003)

Sorry, I got off on another track and forgot to go back to that scan.

Indeed delete this file:

C:\Users\Natalie\Downloads\*setupxv.exe *

Then run Kaspersky on-line again and post that log please.


----------



## Dantesgirl (Sep 26, 2008)

I deleted the file and ran the scan, which came up completely clean.


----------



## Cookiegal (Aug 27, 2003)

Are there any other problems?


----------



## Dantesgirl (Sep 26, 2008)

Not that I know of - the laptop's running very well and I did a Spybot scan last night and came up completely clean, so do all my Spyware Doctor scans. 

Are there any further steps you'd recommend for me?


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log to see if everything is fine.


----------



## Dantesgirl (Sep 26, 2008)

HijackThis log as requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:10:23, on 22/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Trend Micro\HijackThis\Geek.exe
C:\Program Files\Hp\HP Software Update\HPWUCli.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14045 bytes


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

Click on the Start button to open your Start Menu. 
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.

You will now be at the System Protection tab in the System control panel.

Clear the check box next to the disk to turn off System Protection, and then click OK. This will flush out all previous restore points.

Now select the check box next to the disk, and then click OK to turn system restore back on.

Now create a new restore point. Click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.

Type in a title for the manual restore point and press the Create button. Vista will now create a manual restore point, and when completed, display a notice saying that it was created successfully.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they aren't required at start-up then you can uncheck them in msconfig. To date that click *Start *- type *msconfig *hit *Enter *and then click on the *Start-up tab*.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------



## Dantesgirl (Sep 26, 2008)

Thanks a lot for the advice, especially how to change what I load at start-up - I asked my dad how to change what loaded at start-up a few weeks ago, but he just told me not to mess around with things I wasn't quite sure of (yeah, he's quite paranoid...).

Since I've gotten access to PayPal now, I'll see what I can do about a donation to show my appreciation.


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------

