HELP! I have win32.trojandownloader.zlob!

oatsey1983 · #1 (**permalink**) 27-10-2007, 11:49 AM

Hi again guys,

I have virus called win32.trojandownloader.zlob which Adaware cannot remove. I constantly flashes up with spam windows menus stating 'System Alert: Trojan-Spy.win32@mx found, and redirects me to sites to download removal tools.

I visited page: http://www.f-secure.com/v-descs/zlob.shtml and downloaded the removal tool but it is still on my system.

I have Windows Vista, core duo 2ghz and 2gb ram and a 300gb harddrive and my pc is running slow!

I left pc on overnight and I had 98 internet explorers open in the morning with 3rd party sites and pop ups for spam/malware removal.

The funny thing is, is that I use firefox??

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:31, on 27/10/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Image Add-on\icthis.exe
C:\Program Files\Image Add-on\isfmntr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Image Add-on\icmntr.exe
C:\Program Files\Image Add-on\isfmm.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Image Add-on\isfmdl.dll
O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Image Add-on\ictmdl.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/...sticsVista.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer = 195.92.195.94,195.92.195.95
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Steven\AppData\Local\Temp\DX9\SessionLaun cher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Please can you help me,http://www.d-a-l.com/help/images/smilies/wacko.gif

Regards,

Steve

Neal · #2 (**permalink**) 27-10-2007, 08:41 PM

The problem with Vista is there are not a lot of malware tools out there yet that work with Vista.

1. This tool MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator")

Please download http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Right click SmitfraudFix.exe Run as Administrator (press any key as the blue screen indicates, then:
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Do not run any other option unless asked to do so please as it could cause serious problems to your desktop

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm

New hijackthis log please.

oatsey1983 · #3 (**permalink**) 28-10-2007, 10:41 AM

Hi,

Here is the smitfraud log:

SmitFraudFix v2.242

Scan done at 9:35:15.98, 28/10/2007
Run from C:\Users\Steven\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Image Add-on\icthis.exe
C:\Program Files\Image Add-on\isfmntr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Image Add-on\icmntr.exe
C:\Program Files\Image Add-on\isfmm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Steven

»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Steven\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Steven\FAVORI~1

C:\Users\Steven\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Belkin 54g Wireless USB Network Adapter #2
DNS Server Search Order: 10.0.0.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4B7831A7-E57D-4D52-B03A-A0C08E90BB85}: DhcpNameServer=10.10.5.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{869545CE-4EA1-48C0-B818-A3F127039F6F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer=195.92.195.94,195.92.195.95
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EAE21AC6-2F97-4589-BE4E-817A65DB347B}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EE44B626-2879-42CC-A130-38C6E84F9E3F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4B7831A7-E57D-4D52-B03A-A0C08E90BB85}: DhcpNameServer=10.10.5.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{869545CE-4EA1-48C0-B818-A3F127039F6F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer=195.92.195.94,195.92.195.95
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EAE21AC6-2F97-4589-BE4E-817A65DB347B}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EE44B626-2879-42CC-A130-38C6E84F9E3F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4B7831A7-E57D-4D52-B03A-A0C08E90BB85}: DhcpNameServer=10.10.5.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{869545CE-4EA1-48C0-B818-A3F127039F6F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer=195.92.195.94,195.92.195.95
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EAE21AC6-2F97-4589-BE4E-817A65DB347B}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EE44B626-2879-42CC-A130-38C6E84F9E3F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

....and here's the new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 09:40:59, on 28/10/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Image Add-on\icthis.exe
C:\Program Files\Image Add-on\isfmntr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Image Add-on\icmntr.exe
C:\Program Files\Image Add-on\isfmm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Image Add-on\isfmdl.dll
O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Image Add-on\ictmdl.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/...sticsVista.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer = 195.92.195.94,195.92.195.95
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Steven\AppData\Local\Temp\DX9\SessionLaun cher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Thanks

Steve

Neal · #4 (**permalink**) 29-10-2007, 06:41 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Download and update AVG anti-spyware.Please download the trial version of AVG anti-spyware from here:
http://www.ewido.net/en/download/
- Install AVG anti-spyware.
- When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
- When you run AVG anti-spyware for the first time, you could get a warning "Database could not be found!". Click Ok.
- The program will prompt you to update. Click the Ok button.
- The program will now go to the main screen.
You will need to update AVG anti-spyware to the latest definition files.
- On the left-hand side of the main screen click the Update Button.
- Click on Start.
- The update will start and a progress bar will show the updates being installed.
Once finished updating, close AVG anti-spyware.

If you are having problems with the updater, you can use this link to manually update AVG anti-spyware.
AVG anti-spyware manual updates. Make sure to close AVG anti-spyware before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Clean out your Temporary Internet files. Proceed like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
Run AVG anti-spyware. Close ALL open Windows / Programs / Folders. Please start AVG anti-spyware, and run a full scan.
- Click on Scanner
- Click on Settings
  - Under How to scan all boxes should be checked
  - Under Unwanted Software all boxes should be checked
  - Under What to scan select Scan every file
  - Click on Ok
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
If AVG anti-spyware finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
- Click Save Report button
- Save the report to your Desktop
Close AVG anti-spyware and Reboot in Normal Mode.
Run SmitfraudFix. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post Logs. Please post:
1. c:\rapport.txt
2. AVG anti-spyware log
3. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.

oatsey1983 · #5 (**permalink**) 29-10-2007, 10:34 PM

Hi,

I have completed as requested, all now looks good apart grom my pc running super, super slow.

I ran Smitfraud twice by mistake and saved over first log with second but here are my logs:

SmitFraudFix v2.242

Scan done at 20:33:58.17, 29/10/2007
Run from C:\Users\Steven\Desktop\Protection\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4B7831A7-E57D-4D52-B03A-A0C08E90BB85}: DhcpNameServer=10.10.5.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{869545CE-4EA1-48C0-B818-A3F127039F6F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer=195.92.195.94,195.92.195.95
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EAE21AC6-2F97-4589-BE4E-817A65DB347B}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EE44B626-2879-42CC-A130-38C6E84F9E3F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4B7831A7-E57D-4D52-B03A-A0C08E90BB85}: DhcpNameServer=10.10.5.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{869545CE-4EA1-48C0-B818-A3F127039F6F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer=195.92.195.94,195.92.195.95
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EAE21AC6-2F97-4589-BE4E-817A65DB347B}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EE44B626-2879-42CC-A130-38C6E84F9E3F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4B7831A7-E57D-4D52-B03A-A0C08E90BB85}: DhcpNameServer=10.10.5.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{869545CE-4EA1-48C0-B818-A3F127039F6F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer=195.92.195.94,195.92.195.95
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EAE21AC6-2F97-4589-BE4E-817A65DB347B}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EE44B626-2879-42CC-A130-38C6E84F9E3F}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:24:23 29/10/2007

+ Scan result:

:mozilla.208:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.209:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.210:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.211:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.212:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.213:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.214:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.215:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.42:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.43:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.44:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.45:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.48:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.55:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.75:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.205:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.206:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.127:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.128:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.129:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.130:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.131:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.100:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.106:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.107:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.108:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.109:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.110:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.111:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.112:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.113:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.157:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.122:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.123:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.124:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.31:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.19:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.20:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.21:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.22:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.23:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.28:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.101:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.93:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.94:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.95:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.96:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.97:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.203:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.204:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.338:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.339:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.16:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.14:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.149:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.125:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.126:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.219:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.220:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.221:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.222:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.223:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.224:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.191:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.192:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.193:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.17:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.137:C:\Users\Steven\AppData\Roaming\Mozil la\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.49:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.50:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.51:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.52:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.53:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.54:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.56:C:\Users\Steven\AppData\Roaming\Mozill a\Firefox\Profiles\4kf3k30q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 21:31:04, on 29/10/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/...sticsVista.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer = 195.92.195.94,195.92.195.95
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Steven\AppData\Local\Temp\DX9\SessionLaun cher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Does everything look ok now??

Thanks

Steve

Neal · #6 (**permalink**) 30-10-2007, 05:51 AM

Please delete the version of HiJackThis.exe you have installed, then download the new version from here:

HIJACKTHIS

Make sure hijackthis is in it's own folder like this:

Program Files\hijackthis\hijackthis.exe

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Uncheck cookies

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please, renamed.

Thanks.

oatsey1983 · #7 (**permalink**) 02-11-2007, 10:54 AM

Hi,

I done the requested.

1st HJT log before running combofix and cc cleaner:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:00:18, on 02/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\foolyou.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/...sticsVista.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer = 195.92.195.94,195.92.195.95
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Steven\AppData\Local\Temp\DX9\SessionLaun cher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8890 bytes

Here is the combfix log:

ComboFix 07-11-01.1 - Steven 2007-11-02 9:41:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1277 [GMT 0:00]
Running from: C:\Users\Steven\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-02 09:38 51,200 --a------ C:\Windows\NirCmd.exe
2007-11-02 09:03 <DIR> d-------- C:\Program Files\CCleaner
2007-10-29 21:27 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2007-10-29 21:27 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2007-10-29 21:27 53,248 --a------ C:\Windows\System32\Process.exe
2007-10-29 21:27 51,200 --a------ C:\Windows\System32\dumphive.exe
2007-10-29 21:27 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2007-10-29 18:38 <DIR> d-------- C:\Users\Steven\AppData\Roaming\Grisoft
2007-10-29 18:38 <DIR> d-------- C:\Users\All Users\Grisoft
2007-10-29 18:38 <DIR> d-------- C:\ProgramData\Grisoft
2007-10-29 18:38 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2007-10-28 09:35 3,114 --a------ C:\Windows\System32\tmp.reg
2007-10-26 19:39 <DIR> d-------- C:\Program Files\Image Add-on
2007-10-22 20:32 <DIR> d-------- C:\Users\Steven\AppData\Roaming\SystemRequirements Lab
2007-10-22 16:30 <DIR> d-------- C:\Users\Steven\AppData\Roaming\Template
2007-10-22 16:30 96 --a------ C:\Users\Steven\AppData\Roaming\wklnhst.dat
2007-10-22 16:04 <DIR> d-------- C:\Windows\Sun
2007-10-22 15:51 <DIR> d-------- C:\Program Files\Microsoft Picture It! 10
2007-10-12 15:59 <DIR> d-------- C:\Users\Steven\AppData\Roaming\Lionhead Studios
2007-10-12 15:46 <DIR> d-------- C:\Program Files\MySoCo.com
2007-10-12 15:12 <DIR> d-------- C:\Program Files\Password Protect
2007-10-12 13:37 <DIR> d-------- C:\Program Files\Easy CD & DVD Cover Creator
2007-10-12 12:09 2,179,072 --a------ C:\Windows\System32\mfc71d.dll
2007-10-12 12:09 765,952 --a------ C:\Windows\System32\msvcp71d.dll
2007-10-12 12:09 544,768 --a------ C:\Windows\System32\msvcr71d.dll
2007-10-12 12:09 149,504 --a------ C:\Windows\System32\UNWISE.EXE
2007-10-12 12:08 <DIR> d-------- C:\MyVideos
2007-10-12 12:08 749,641 --a------ C:\Windows\System32\hcwtvwnd.dll
2007-10-12 12:08 258,104 --a------ C:\Windows\System32\hcwpnp32.dll
2007-10-12 12:08 159,744 --a------ C:\Windows\System32\hcwChDB.dll
2007-10-12 12:08 90,190 --a------ C:\Windows\System32\Bt848WST.DLL
2007-10-12 12:08 36,921 --a------ C:\Windows\System32\hcwutl32.dll
2007-10-12 12:08 28,672 --a------ C:\Windows\System32\hcwsched.dll
2007-10-12 12:07 213,050 --a------ C:\Windows\System32\hcwChan.dll
2007-10-12 12:07 106,559 --a------ C:\Windows\System32\hcwTVDlg.dll
2007-10-12 12:07 11,264 --a------ C:\Windows\System32\hcwhook.dll
2007-10-12 12:03 98,360 --------- C:\Windows\System32\hcwi2c32.dll
2007-10-12 11:44 <DIR> d-------- C:\Hauppauge
2007-10-12 11:44 467,456 --a------ C:\Windows\System32\drivers\hcw95bda.sys
2007-10-12 11:44 15,488 --a------ C:\Windows\System32\hcw95rc.sys
2007-10-12 11:44 15,488 --a------ C:\Windows\System32\drivers\hcw95rc.sys
2007-10-12 11:17 <DIR> d-------- C:\Program Files\WinTV
2007-10-12 11:17 69,632 --a------ C:\Windows\System32\3DES.dll
2007-10-12 11:17 65,536 --a------ C:\Windows\System32\dmcrypto.dll
2007-10-11 17:45 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2007-10-11 17:45 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2007-10-11 17:45 7,680 --a------ C:\Windows\System32\spwmp.dll
2007-10-11 17:45 4,096 --a------ C:\Windows\System32\dxmasf.dll
2007-10-11 17:43 788,992 --a------ C:\Windows\System32\rpcrt4.dll
2007-10-11 17:43 737,792 --a------ C:\Windows\System32\inetcomm.dll
2007-10-11 17:43 84,480 --a------ C:\Windows\System32\INETRES.dll
2007-10-08 19:25 <DIR> d-------- C:\Users\All Users\Lionhead Studios
2007-10-08 19:25 <DIR> d-------- C:\ProgramData\Lionhead Studios
2007-10-08 19:25 <DIR> d-------- C:\Program Files\Lionhead Studios Ltd
2007-10-08 19:22 <DIR> d--hs---- C:\Windows\ftpcache
2007-10-08 18:49 <DIR> d-------- C:\Users\Steven\AppData\Roaming\Sonic
2007-10-08 18:49 <DIR> d-------- C:\Users\Steven\AppData\Roaming\Leadertech
2007-10-07 13:02 <DIR> d-------- C:\Users\Steven\AppData\Roaming\Roxio
2007-10-07 13:00 <DIR> d-------- C:\Program Files\InterActual
2007-10-07 12:19 <DIR> d-------- C:\Users\All Users\SmartSound Software Inc
2007-10-07 12:19 <DIR> d-------- C:\Users\All Users\eSellerate
2007-10-07 12:19 <DIR> d-------- C:\ProgramData\SmartSound Software Inc
2007-10-07 12:19 <DIR> d-------- C:\ProgramData\eSellerate
2007-10-07 12:19 <DIR> d-------- C:\Program Files\SmartSound Software
2007-10-07 12:18 <DIR> d-------- C:\Users\All Users\InstallShield
2007-10-07 12:18 <DIR> d-------- C:\ProgramData\InstallShield
2007-10-07 12:17 3,495,784 --a------ C:\Windows\System32\d3dx9_33.dll
2007-10-07 12:17 1,123,696 --a------ C:\Windows\System32\D3DCompiler_33.dll
2007-10-07 12:17 443,752 --a------ C:\Windows\System32\d3dx10_33.dll
2007-10-07 12:15 <DIR> d-------- C:\Windows\System32\URTTEMP
2007-10-06 20:31 <DIR> d-------- C:\Program Files\LucasArts
2007-10-05 12:47 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll
2007-10-05 12:44 <DIR> d-------- C:\Program Files\Codemasters
2007-10-05 11:55 <DIR> d-------- C:\Users\All Users\DVD Shrink
2007-10-05 11:55 <DIR> d-------- C:\ProgramData\DVD Shrink
2007-10-05 11:55 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 3
2007-10-05 11:55 <DIR> d-------- C:\Program Files\DVD Shrink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-29 18:11 --------- d-----w C:\Users\Steven\AppData\Roaming\Azureus
2007-10-25 16:03 23,152 ----a-w C:\Windows\system32\drivers\aswRdr.sys
2007-10-25 16:01 45,648 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2007-10-25 16:01 42,912 ----a-w C:\Windows\system32\drivers\aswTdi.sys
2007-10-25 15:24 815,480 ----a-w C:\Windows\System32\aswBoot.exe
2007-10-25 15:14 95,608 ----a-w C:\Windows\System32\AvastSS.scr
2007-10-23 05:24 --------- d-----w C:\Program Files\Java
2007-10-19 12:23 --------- d-----w C:\ProgramData\Microsoft Help
2007-10-19 09:30 --------- d-----w C:\Users\Steven\AppData\Roaming\LimeWire
2007-10-11 21:17 --------- d-----w C:\Program Files\Windows Mail
2007-10-11 17:44 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-10-11 17:44 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-10-11 17:44 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-10-08 19:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-08 19:17 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-07 13:05 --------- d-----w C:\ProgramData\Sonic
2007-10-07 12:57 --------- d-----w C:\ProgramData\Roxio
2007-10-07 12:42 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2007-10-07 12:40 --------- d-----w C:\Program Files\Roxio
2007-10-07 12:26 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-10-07 12:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-05 07:32 --------- d-----w C:\Program Files\Azureus
2007-10-01 17:21 --------- d-----w C:\Program Files\QuickTime
2007-09-30 19:12 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-30 19:08 --------- d-----w C:\ProgramData\Nero
2007-09-21 10:11 47,360 ----a-w C:\Windows\system32\drivers\Pcouffin.sys
2007-09-21 10:11 --------- d-----w C:\Program Files\Super DVD Creator 9.25.0
2007-09-19 05:20 --------- d-----w C:\Program Files\dvdSanta
2007-09-18 17:32 --------- d-----w C:\Users\Steven\AppData\Roaming\Media Player Classic
2007-09-18 17:31 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-15 17:05 --------- d-----w C:\ProgramData\TEMP
2007-09-15 17:04 --------- d-----w C:\Program Files\Telltale Games
2007-09-10 15:52 --------- d-----w C:\Program Files\EA GAMES
2007-09-07 14:41 --------- d-----w C:\Users\Steven\AppData\Roaming\NeroDCTemplates
2007-09-07 14:18 639,224 ----a-w C:\Windows\system32\drivers\sptd.sys
2007-09-07 09:36 --------- d-----w C:\Users\Steven\AppData\Roaming\Ahead
2007-09-04 16:54 --------- d-----w C:\Program Files\Windows Calendar
2007-09-04 16:09 8,192 ----a-w C:\Windows\System32\riched32.dll
2007-09-04 16:08 77,824 ----a-w C:\Windows\System32\rascfg.dll
2007-09-04 16:08 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2007-09-04 16:08 694,784 ----a-w C:\Windows\System32\localspl.dll
2007-09-04 16:08 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2007-09-04 16:08 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2007-09-04 16:08 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2007-09-04 16:08 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2007-09-04 16:08 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2007-09-04 16:08 36,864 ----a-w C:\Windows\System32\cdd.dll
2007-09-04 16:08 33,280 ----a-w C:\Windows\System32\traffic.dll
2007-09-04 16:08 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2007-09-04 16:08 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2007-09-04 16:08 22,016 ----a-w C:\Windows\System32\rasser.dll
2007-09-04 16:08 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2007-09-04 16:08 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2007-09-04 16:08 134,656 ----a-w C:\Windows\System32\dps.dll
2007-09-04 16:08 13,824 ----a-w C:\Windows\System32\wshqos.dll
2007-09-04 16:08 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2007-09-02 15:08 108,144 ----a-w C:\Windows\System32\CmdLineExt.dll
2007-09-02 14:24 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-09-02 13:07 174 --sha-w C:\Program Files\desktop.ini
2007-09-02 12:50 88,576 ----a-w C:\Windows\System32\avifil32.dll
2007-09-02 12:50 82,944 ----a-w C:\Windows\System32\mciavi32.dll
2007-09-02 12:50 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr
2007-09-02 12:50 712,192 ----a-w C:\Windows\System32\WindowsCodecs.dll
2007-09-02 12:50 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-09-02 12:50 69,632 ----a-w C:\Windows\System32\sendmail.dll
2007-09-02 12:50 65,024 ----a-w C:\Windows\System32\avicap32.dll
2007-09-02 12:50 61,440 ----a-w C:\Windows\System32\ntprint.exe
2007-09-02 12:50 31,232 ----a-w C:\Windows\System32\msvidc32.dll
2007-09-02 12:50 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-09-02 12:50 3,470,008 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-09-02 12:50 269,824 ----a-w C:\Windows\System32\schannel.dll
2007-09-02 12:50 220,160 ----a-w C:\Windows\System32\ntprint.dll
2007-09-02 12:50 123,904 ----a-w C:\Windows\System32\msvfw32.dll
2007-09-02 12:50 120,320 ----a-w C:\Windows\System32\dhcpcsvc6.dll
2007-09-02 12:50 12,800 ----a-w C:\Windows\System32\msrle32.dll
2007-09-02 12:50 10,240 ----a-w C:\Windows\System32\dhcpcmonitor.dll
2007-09-02 12:50 1,984,512 ----a-w C:\Windows\System32\authui.dll
2007-09-02 12:49 750,080 ----a-w C:\Windows\System32\qmgr.dll
2007-09-02 12:48 --------- d-----w C:\Program Files\Belkin
2007-08-28 10:48 98,304 ----a-w C:\Windows\system32CmdLineExt.dll
2007-08-24 17:08 1,275,392 ----a-w C:\Windows\System32\msxml4.dll
2007-08-24 11:07 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2007-08-24 11:07 43,352 ----a-w C:\Windows\System32\wups2.dll
2007-08-24 11:07 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2007-08-24 11:07 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2007-08-24 11:06 80,896 ----a-w C:\Windows\System32\wudriver.dll
2007-08-24 11:06 549,720 ----a-w C:\Windows\System32\wuapi.dll
2007-08-24 11:06 33,624 ----a-w C:\Windows\System32\wups.dll
2007-08-24 11:06 31,232 ----a-w C:\Windows\System32\wuapp.exe
2007-08-24 11:06 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2007-08-23 13:37 87,040 ----a-w C:\Windows\System32\msoert2.dll
2007-08-23 13:37 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2007-08-23 13:37 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2007-08-23 13:35 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2007-08-23 13:35 61,952 ----a-w C:\Windows\System32\cmifw.dll
2007-08-23 13:35 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2007-08-23 13:35 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2007-08-23 13:35 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-08-23 13:35 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2007-08-23 13:35 16,896 ----a-w C:\Windows\System32\wfapigp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-01 02:47]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 13:42]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 10:59]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-20 01:11]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-15 04:03]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-15 04:03]
"NvMediaCenter"="C:\Windows\system32\NvMcTray. dll" [2007-05-15 04:03]
"CCUTRAYICON"="FactoryMode" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-10-25 15:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 12:23]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-01 03:07]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 02:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"=0 (0x0)

R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\as wMonFlt.sys
R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe"
R3 nvlddmkm;nvlddmkm;C:\Windows\system32\DRIVERS\nvld dmkm.sys
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe"
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe"
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe"
S2 RoxWatch10;Roxio Hard Drive Watcher 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe"
S2 SessionLauncher;SessionLauncher;C:\Users\Steven\Ap pData\Local\Temp\DX9\SessionLauncher.exe
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;C:\Windows\system32\Drivers\hcw95bda.sys
S3 hcw95rc;Hauppauge MOD7700 IR Driver;C:\Windows\system32\DRIVERS\hcw95rc.sys
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe"
S3 RoxMediaDB10;RoxMediaDB10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe"
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;C:\Windows\system32\DRIVERS\sis163u.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\SETUP.EXE AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\K]
\shell\AutoRun\command - K:\AUTOSTUB.EXE

*Newly Created Service* - CATCHME
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 09:45:06
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-02 9:46:05
.
--- E O F ---

And finally here is the 2nd HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:13, on 02/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\HijackThis\foolyou.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/...sticsVista.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer = 195.92.195.94,195.92.195.95
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Steven\AppData\Local\Temp\DX9\SessionLaun cher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8554 bytes

Regards,

Steve

Neal · #8 (**permalink**) 02-11-2007, 08:03 PM

You can uninstall AVG anti-spyware 7.5 if you wish, we should be done with that program.

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Windows\System32\rascfg.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

New HJT log also please.

oatsey1983 · #9 (**permalink**) 05-11-2007, 07:33 AM

Hi,

I tried to follow the above instructions but curit would not work. It managed to complete the express scan, but would not completely scan c:/. It keeps flashing on 'preparing for scanning' and does not filter through the files. It did not find any infections on express scan. I tried a reboot but still the same.

I initially had 1gb ram, but when I was running multi programs it froze a little bit. Since I installed another GB ram, it has ran even slower. I tried going back to 1gb again but it was even slower still. I honestly do noty know what it happening.

Everytime I select any icon or program it has the loading circle for approx 20 secs before appearing.

Here is the scan results from virus total, it found no infections:

File rascfg.dll received on 11.04.2007 13:35:08 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 61 and 87 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.3.0 2007.11.02 -
AntiVir 7.6.0.30 2007.11.02 -
Authentium 4.93.8 2007.11.03 -
Avast 4.7.1074.0 2007.11.03 -
AVG 7.5.0.503 2007.11.04 -
BitDefender 7.2 2007.11.04 -
CAT-QuickHeal 9.00 2007.11.03 -
ClamAV 0.91.2 2007.11.04 -
DrWeb 4.44.0.09170 2007.11.04 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5264 2007.11.02 -
Ewido 4.0 2007.11.04 -
FileAdvisor 1 2007.11.04 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.03 -
F-Secure 6.70.13030.0 2007.11.04 -
Ikarus T3.1.1.12 2007.11.04 -
Kaspersky 7.0.0.125 2007.11.04 -
McAfee 5155 2007.11.02 -
Microsoft 1.2908 2007.11.04 -
NOD32v2 2636 2007.11.03 -
Norman 5.80.02 2007.11.02 -
Panda 9.0.0.4 2007.11.04 -
Prevx1 V2 2007.11.04 -
Rising 20.16.62.00 2007.11.04 -
Sophos 4.23.0 2007.11.04 -
Sunbelt 2.2.907.0 2007.11.02 -
Symantec 10 2007.11.04 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.11.03 -
VirusBuster 4.3.26:9 2007.11.03 -
Webwasher-Gateway 6.6.1 2007.11.02 -

Additional information
File size: 77824 bytes
MD5: 4b5c4197501ef60cb8843907e21f8af5
SHA1: 20e439c9c1023bd83206956eb271d2d49362fccf

Here is a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:32:39, on 05/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\foolyou.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O13 - Gopher Prefix:
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/...sticsVista.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0352783-D1DD-4144-BA03-6965326F5637}: NameServer = 195.92.195.94,195.92.195.95
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Steven\AppData\Local\Temp\DX9\SessionLaun cher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8276 bytes

There must be something running which is causing it to run super slow.

Regards,

Steve

Neal · #10 (**permalink**) 06-11-2007, 12:18 AM

There are tools that we could run but will not work with vista.

I would uninstall adaware 2007 for now it sometimes can be buggy on some computers. You can always put it back if you want. Reboot afterwards

Online scanners that work with Vista:

Do an online scan (scan only tool) with Kaspersky WebScanner
[Internet Explorer required]

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Post the results of the scan back here please and a new hijackthis log.