Thanks for helping me. I allowed and ran and exe that I believed was a codec patch....and it was not. Scanned and cleaned with AVG free edition and adaware 2007 several times and the browser hijack attempts are increasing with each scan...so that is not working.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:08 PM, on 11/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [67B.tmp] C:\Windows\temp\67B.tmp
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 14871 bytes
Full Version: trojan infection!
Hello 
We may have to do a few different things for this one, but we'll start here:
Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Thanks,
tea
We may have to do a few different things for this one, but we'll start here:
Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Thanks,
tea
Ok I ran the malwarebytes scan and it did prompt a restart. Windows defender blocked some startup programs from running at the re boot...not sure about that so I figured I'd mention it. Here are the new logs. thanks for helping
Malwarebytes' Anti-Malware 1.30
Database version: 1378
Windows 6.0.6001 Service Pack 1
11/9/2008 4:42:50 PM
mbam-log-2008-11-09 (16-42-50).txt
Scan type: Quick Scan
Objects scanned: 49891
Time elapsed: 4 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 4
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67b.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22e3eeba-28a7-427a-a382-58643050fd2c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{22e3eeba-28a7-427a-a382-58643050fd2c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{22e3eeba-28a7-427a-a382-58643050fd2c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\-- The nicest hobby on Earth ;) --vid\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\-- The nicest hobby on Earth ;) --vid\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\Temp\67B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:48 PM, on 11/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 15296 bytes
Malwarebytes' Anti-Malware 1.30
Database version: 1378
Windows 6.0.6001 Service Pack 1
11/9/2008 4:42:50 PM
mbam-log-2008-11-09 (16-42-50).txt
Scan type: Quick Scan
Objects scanned: 49891
Time elapsed: 4 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 4
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67b.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22e3eeba-28a7-427a-a382-58643050fd2c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{22e3eeba-28a7-427a-a382-58643050fd2c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{22e3eeba-28a7-427a-a382-58643050fd2c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3c4c231c-bd71-4ac7-a165-5023550969d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\-- The nicest hobby on Earth ;) --vid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\-- The nicest hobby on Earth ;) --vid\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\-- The nicest hobby on Earth ;) --vid\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\Temp\67B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:48 PM, on 11/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 15296 bytes
Hello,
I see you're here......have the redirects stopped? LOL....and now you're not. Okay........
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
Close all browsers and other windows except for HijackThis!, and click "Fix checked".
delete the following file:
C:\Windows\system32\kdlbv.exe
Reboot your computer.
Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You'll get a confirmation that the flush was successful.
FOR CONNECTION PROBLEMS ONLY :
Click on Start, Control Panel, select the Network and Internet Connections category or double click on Network Connections, depending on which View you are using. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item. Write down the settings in case you should need to change them back. Select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks. If it does not prompt you to reboot go ahead and reboot manually.
Please let me know how it's running now. :)
Thanks,
tea
I see you're here......have the redirects stopped? LOL....and now you're not. Okay........
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
Close all browsers and other windows except for HijackThis!, and click "Fix checked".
delete the following file:
C:\Windows\system32\kdlbv.exe
Reboot your computer.
Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You'll get a confirmation that the flush was successful.
FOR CONNECTION PROBLEMS ONLY :
Click on Start, Control Panel, select the Network and Internet Connections category or double click on Network Connections, depending on which View you are using. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item. Write down the settings in case you should need to change them back. Select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks. If it does not prompt you to reboot go ahead and reboot manually.
Please let me know how it's running now. :)
Thanks,
tea
Tea,
Thanks for working on this with me. That being said...not going so well. The file you asked me to delete (C:\Windows\system32\kdlbv.exe) cannot be deleted as windows is telling me that "another program is currently using this file". So, I cant get any access to it and I have no idea what would be running it.
Also, I did the fix checked on the 5 lines in the registry you indicated (I've been through this before) and restart and they are still there upon a re-scan. When I go to "Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You'll get a confirmation that the flush was successful."...nothing happens at all. It doesnt give me any result or anything. So, not sure. Any thoughts? Thanks for your patience.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:59 PM, on 11/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 15042 bytes
Thanks for working on this with me. That being said...not going so well. The file you asked me to delete (C:\Windows\system32\kdlbv.exe) cannot be deleted as windows is telling me that "another program is currently using this file". So, I cant get any access to it and I have no idea what would be running it.
Also, I did the fix checked on the 5 lines in the registry you indicated (I've been through this before) and restart and they are still there upon a re-scan. When I go to "Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You'll get a confirmation that the flush was successful."...nothing happens at all. It doesnt give me any result or anything. So, not sure. Any thoughts? Thanks for your patience.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:59 PM, on 11/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS2\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 15042 bytes
Hello,
It's okay. More than one way to go about this.
This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
Thanks,
tea
It's okay. More than one way to go about this.
This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
Thanks,
tea
Ok, here are the two logs. Thanks again, sorry about the delay...had to sleep.
ComboFix 08-11-09.04 - kibby 2008-11-10 8:46:10.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1092 [GMT -5:00]
Running from: c:\users\kibby\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.
2008-11-09 16:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 11:24 . 2008-11-09 11:24 22 --a------ C:\RPT23432
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Mon Cheri Bridals, LLC
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-05 06:34 . 2008-11-05 06:34 <DIR> d-------- c:\windows\System32\URTTEMP
2008-10-28 18:32 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 18:32 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 18:32 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-22 14:43 . 2008-08-05 04:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-22 14:43 . 2008-08-05 04:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-22 14:43 . 2008-08-05 04:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-22 14:43 . 2008-08-05 04:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-22 14:43 . 2008-08-05 04:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-16 12:27 . 2008-10-16 12:27 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-10-14 16:09 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 16:09 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 16:09 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-14 16:09 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-14 16:09 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-14 16:09 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-09 19:53 --------- d-----w c:\programdata\avg7
2008-11-08 17:49 --------- d-----w c:\programdata\Roxio
2008-11-08 16:03 --------- d-----w c:\users\kibby\AppData\Roaming\foobar2000
2008-11-06 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Ericom
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-19 16:13 --------- d-----w c:\programdata\DVD Shrink
2008-10-15 07:12 --------- d-----w c:\program files\Windows Mail
2008-10-15 07:02 --------- d-----w c:\programdata\Microsoft Help
2008-10-15 00:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 00:13 --------- d-----w c:\program files\Hewlett-Packard
2008-10-15 00:11 --------- d-----w c:\users\kibby\AppData\Roaming\Hewlett-Packard
2008-10-09 15:56 --------- d-----w c:\program files\foobar2000
2008-10-07 15:48 --------- d-----w c:\programdata\Viewpoint
2008-10-07 15:48 --------- d-----w c:\program files\TotalAudioConverter
2008-10-07 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Softplicity
2008-10-06 17:24 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 17:24 --------- d-----w c:\program files\iTunes
2008-10-06 17:24 --------- d-----w c:\program files\iPod
2008-10-06 17:17 --------- d-----w c:\program files\Bonjour
2008-10-06 00:21 --------- d-----w c:\program files\Xvid
2008-10-04 02:34 --------- d-----w c:\users\kibby\AppData\Roaming\.BitTornado
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-25 21:54 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-23 18:49 --------- d-----w c:\program files\QuickTime
2008-09-23 17:15 --------- d-----w c:\program files\iTunes(79)
2008-09-23 17:15 --------- d-----w c:\program files\iPod(78)
2008-09-23 17:13 --------- d-----w c:\program files\QuickTime(81)
2008-09-23 17:13 --------- d-----w c:\program files\Common Files\Apple
2008-09-23 17:08 --------- d-----w c:\program files\Bonjour(0)
2008-09-20 20:20 --------- d-----w c:\programdata\NVIDIA
2008-09-20 07:27 174 --sha-w c:\program files\desktop.ini
2008-09-20 07:18 --------- d-----w c:\program files\Windows Sidebar
2008-09-20 07:18 --------- d-----w c:\program files\Windows Photo Gallery
2008-09-20 07:18 --------- d-----w c:\program files\Windows Journal
2008-09-20 07:18 --------- d-----w c:\program files\Windows Defender
2008-09-20 07:18 --------- d-----w c:\program files\Windows Collaboration
2008-09-20 07:18 --------- d-----w c:\program files\Windows Calendar
2008-09-20 02:35 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-20 02:35 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-04 02:10 27,335 ----a-w c:\users\kibby\AppData\Roaming\nvModes.dat
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-07-15 13:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-14 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 579584]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 451896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-12-11 291760]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 82864]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-24 219136]
c:\users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk - c:\users\kibby\AppData\Local\Ericom\PowerTerm WebConnect 5.6\sbs.mcbridals.com\PtAgent.exe [2008-05-27 2295112]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-11-24 16:25 9216 c:\windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B3911568-681C-4786-BEA2-E6C5845AE21D}"= TCP:67:DHCP Discovery Service
"{A4A82682-D2F8-47D0-BA7D-239C57EE3C99}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{C22ECE1F-A57B-4AA5-8459-3F5D9DAFD0F6}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"TCP Query User{658363F6-C46D-4DEA-A707-8F6A739334FF}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{16D93087-EDDD-42AA-A9AE-76AC7F8A44B4}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{4E992B70-8441-477B-A303-B0B3751C076A}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= UDP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"UDP Query User{3C8057C6-6009-4997-B2C6-A0D03238DEFD}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= TCP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"{9329196A-CC01-403D-8277-4DB43E1DE79B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F44D4F0D-6D59-45A9-9E73-9E823E6560FF}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{35E87E62-9FD5-4B88-AB1E-AB3C003BF2EA}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{2F0B9063-922B-4CE9-B2D5-2D9D187813CD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3A09D74D-9B6D-4388-ABC9-1A95185DC5E1}"= UDP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{89436FFA-94A8-4954-88CE-15C56697B44D}"= TCP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{75E50432-A8D0-448F-BA2F-13ACE4577F40}"= UDP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{B56F5D1E-9558-416F-ADEE-977B984156A0}"= TCP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{A40A7234-AC4F-4A43-BCE8-71E8325471FF}"= UDP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"{E041AB7F-8EC4-48F2-82F0-9AF9AA318169}"= TCP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"TCP Query User{87C6CD61-B7EE-4DF5-80E6-FF2A3921022D}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= UDP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"UDP Query User{ED4534E2-12EE-415A-95C1-D6C844E881AA}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= TCP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"{A4DEA9D4-575A-4C1A-9CE3-81E72EF3CDB8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2843FA19-579D-42CB-83F7-65EAC6AC3340}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{110CD476-3F32-4ADE-8A24-6F906A3A983F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DA32CDCA-6BC8-4DBB-922E-A22A6A164564}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\system32\Drivers\avgwfp.sys [2008-06-28 53768]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdlbv.exe [2008-01-19 70144]
S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-10-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 04:45]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 -: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 -: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 -: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
O8 -: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
O17 -: HKLM\CCS\Interface\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 -: HKLM\CCS\Interface\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O16 -: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://sbs.mcbridals.com:88/webconnect5.6/windows/ptdownloader.cab
c:\windows\Downloaded Program Files\PtDownloader.inf
c:\windows\Downloaded Program Files\PtBroker.exe
c:\windows\Downloaded Program Files\PtDownloader.dll
c:\windows\Downloaded Program Files\PtBrkr.exe
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 08:49:26
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-10 8:51:09
ComboFix-quarantined-files.txt 2008-11-10 13:51:06
Pre-Run: 46,194,188,288 bytes free
Post-Run: 49,304,219,648 bytes free
236 --- E O F --- 2008-11-07 23:57:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:56 AM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 14255 bytes
ComboFix 08-11-09.04 - kibby 2008-11-10 8:46:10.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1092 [GMT -5:00]
Running from: c:\users\kibby\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.
2008-11-09 16:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 11:24 . 2008-11-09 11:24 22 --a------ C:\RPT23432
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Mon Cheri Bridals, LLC
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-05 06:34 . 2008-11-05 06:34 <DIR> d-------- c:\windows\System32\URTTEMP
2008-10-28 18:32 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 18:32 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 18:32 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-22 14:43 . 2008-08-05 04:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-22 14:43 . 2008-08-05 04:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-22 14:43 . 2008-08-05 04:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-22 14:43 . 2008-08-05 04:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-22 14:43 . 2008-08-05 04:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-16 12:27 . 2008-10-16 12:27 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-10-14 16:09 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 16:09 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 16:09 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-14 16:09 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-14 16:09 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-14 16:09 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-09 19:53 --------- d-----w c:\programdata\avg7
2008-11-08 17:49 --------- d-----w c:\programdata\Roxio
2008-11-08 16:03 --------- d-----w c:\users\kibby\AppData\Roaming\foobar2000
2008-11-06 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Ericom
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-19 16:13 --------- d-----w c:\programdata\DVD Shrink
2008-10-15 07:12 --------- d-----w c:\program files\Windows Mail
2008-10-15 07:02 --------- d-----w c:\programdata\Microsoft Help
2008-10-15 00:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 00:13 --------- d-----w c:\program files\Hewlett-Packard
2008-10-15 00:11 --------- d-----w c:\users\kibby\AppData\Roaming\Hewlett-Packard
2008-10-09 15:56 --------- d-----w c:\program files\foobar2000
2008-10-07 15:48 --------- d-----w c:\programdata\Viewpoint
2008-10-07 15:48 --------- d-----w c:\program files\TotalAudioConverter
2008-10-07 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Softplicity
2008-10-06 17:24 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 17:24 --------- d-----w c:\program files\iTunes
2008-10-06 17:24 --------- d-----w c:\program files\iPod
2008-10-06 17:17 --------- d-----w c:\program files\Bonjour
2008-10-06 00:21 --------- d-----w c:\program files\Xvid
2008-10-04 02:34 --------- d-----w c:\users\kibby\AppData\Roaming\.BitTornado
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-25 21:54 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-23 18:49 --------- d-----w c:\program files\QuickTime
2008-09-23 17:15 --------- d-----w c:\program files\iTunes(79)
2008-09-23 17:15 --------- d-----w c:\program files\iPod(78)
2008-09-23 17:13 --------- d-----w c:\program files\QuickTime(81)
2008-09-23 17:13 --------- d-----w c:\program files\Common Files\Apple
2008-09-23 17:08 --------- d-----w c:\program files\Bonjour(0)
2008-09-20 20:20 --------- d-----w c:\programdata\NVIDIA
2008-09-20 07:27 174 --sha-w c:\program files\desktop.ini
2008-09-20 07:18 --------- d-----w c:\program files\Windows Sidebar
2008-09-20 07:18 --------- d-----w c:\program files\Windows Photo Gallery
2008-09-20 07:18 --------- d-----w c:\program files\Windows Journal
2008-09-20 07:18 --------- d-----w c:\program files\Windows Defender
2008-09-20 07:18 --------- d-----w c:\program files\Windows Collaboration
2008-09-20 07:18 --------- d-----w c:\program files\Windows Calendar
2008-09-20 02:35 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-20 02:35 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-04 02:10 27,335 ----a-w c:\users\kibby\AppData\Roaming\nvModes.dat
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-07-15 13:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-14 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 579584]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 451896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-12-11 291760]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 82864]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-24 219136]
c:\users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk - c:\users\kibby\AppData\Local\Ericom\PowerTerm WebConnect 5.6\sbs.mcbridals.com\PtAgent.exe [2008-05-27 2295112]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-11-24 16:25 9216 c:\windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B3911568-681C-4786-BEA2-E6C5845AE21D}"= TCP:67:DHCP Discovery Service
"{A4A82682-D2F8-47D0-BA7D-239C57EE3C99}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{C22ECE1F-A57B-4AA5-8459-3F5D9DAFD0F6}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"TCP Query User{658363F6-C46D-4DEA-A707-8F6A739334FF}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{16D93087-EDDD-42AA-A9AE-76AC7F8A44B4}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{4E992B70-8441-477B-A303-B0B3751C076A}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= UDP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"UDP Query User{3C8057C6-6009-4997-B2C6-A0D03238DEFD}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= TCP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"{9329196A-CC01-403D-8277-4DB43E1DE79B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F44D4F0D-6D59-45A9-9E73-9E823E6560FF}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{35E87E62-9FD5-4B88-AB1E-AB3C003BF2EA}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{2F0B9063-922B-4CE9-B2D5-2D9D187813CD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3A09D74D-9B6D-4388-ABC9-1A95185DC5E1}"= UDP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{89436FFA-94A8-4954-88CE-15C56697B44D}"= TCP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{75E50432-A8D0-448F-BA2F-13ACE4577F40}"= UDP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{B56F5D1E-9558-416F-ADEE-977B984156A0}"= TCP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{A40A7234-AC4F-4A43-BCE8-71E8325471FF}"= UDP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"{E041AB7F-8EC4-48F2-82F0-9AF9AA318169}"= TCP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"TCP Query User{87C6CD61-B7EE-4DF5-80E6-FF2A3921022D}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= UDP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"UDP Query User{ED4534E2-12EE-415A-95C1-D6C844E881AA}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= TCP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"{A4DEA9D4-575A-4C1A-9CE3-81E72EF3CDB8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2843FA19-579D-42CB-83F7-65EAC6AC3340}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{110CD476-3F32-4ADE-8A24-6F906A3A983F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DA32CDCA-6BC8-4DBB-922E-A22A6A164564}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\system32\Drivers\avgwfp.sys [2008-06-28 53768]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdlbv.exe [2008-01-19 70144]
S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-10-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 04:45]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 -: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 -: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 -: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
O8 -: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
O17 -: HKLM\CCS\Interface\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 -: HKLM\CCS\Interface\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O16 -: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://sbs.mcbridals.com:88/webconnect5.6/windows/ptdownloader.cab
c:\windows\Downloaded Program Files\PtDownloader.inf
c:\windows\Downloaded Program Files\PtBroker.exe
c:\windows\Downloaded Program Files\PtDownloader.dll
c:\windows\Downloaded Program Files\PtBrkr.exe
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 08:49:26
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-10 8:51:09
ComboFix-quarantined-files.txt 2008-11-10 13:51:06
Pre-Run: 46,194,188,288 bytes free
Post-Run: 49,304,219,648 bytes free
236 --- E O F --- 2008-11-07 23:57:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:56 AM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcrcoms.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C4C231C-BD71-4AC7-A165-5023550969D3}: NameServer = 85.255.112.182;85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\..\{22E3EEBA-28A7-427A-A382-58643050FD2C}: NameServer = 85.255.112.182;85.255.112.197
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 14255 bytes
Hello,
You had to sleep? Funny how that happens huh?
Not a problem
I'd like to know what that file is before we nuke it. Please navigate to the following file:
c:\windows\system32\kdlbv.exe
Please go to VirusTotal and submit the file for a scan and post the results in your next reply.
Thanks,
tea
You had to sleep? Funny how that happens huh?
Not a problemI'd like to know what that file is before we nuke it. Please navigate to the following file:
c:\windows\system32\kdlbv.exe
Please go to VirusTotal and submit the file for a scan and post the results in your next reply.
Thanks,
tea
Tea,
Good to hear from you...thanks. The issue with your request is still the same problem that I talked about a couple posts back. In regards to c:\windows\system32\kdlbv.exe, I cannot nav to the file or access it in any way as it is "in use with another program". Because i'm getting this message I have no way to delete, upload it to the virus total, or access its path in any way that I'm aware of.
Do you perhaps have some way that I can bypass this?
Good to hear from you...thanks. The issue with your request is still the same problem that I talked about a couple posts back. In regards to c:\windows\system32\kdlbv.exe, I cannot nav to the file or access it in any way as it is "in use with another program". Because i'm getting this message I have no way to delete, upload it to the virus total, or access its path in any way that I'm aware of.
Do you perhaps have some way that I can bypass this?
Yep, we can......I just wanted to know exactly what the bugger was first. Thanks for trying.
* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Let me know how it's running. :)
Thanks,
tea
* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:
QUOTE
Registry::
[-HKLM\CCS\Interface\{22E3EEBA-28A7-427A-A382-58643050FD2C}]
[-HKLM\CCS\Interface\{3C4C231C-BD71-4AC7-A165-5023550969D3}]
File::
c:\windows\system32\kdlbv.exe
[-HKLM\CCS\Interface\{22E3EEBA-28A7-427A-A382-58643050FD2C}]
[-HKLM\CCS\Interface\{3C4C231C-BD71-4AC7-A165-5023550969D3}]
File::
c:\windows\system32\kdlbv.exe
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Let me know how it's running. :)
Thanks,
tea
Ok, great. You rule Tea! Completed your last instructions to the letter. Here are the two new logs as requested.
ComboFix 08-11-09.04 - kibby 2008-11-10 16:19:14.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013 [GMT -5:00]
Running from: c:\users\kibby\Desktop\ComboFix.exe
Command switches used :: c:\users\kibby\Desktop\Nick Stuff\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\kdlbv.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.
2008-11-09 16:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 11:24 . 2008-11-09 11:24 22 --a------ C:\RPT23432
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Mon Cheri Bridals, LLC
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-05 06:34 . 2008-11-05 06:34 <DIR> d-------- c:\windows\System32\URTTEMP
2008-10-28 18:32 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 18:32 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 18:32 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-22 14:43 . 2008-08-05 04:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-22 14:43 . 2008-08-05 04:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-22 14:43 . 2008-08-05 04:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-22 14:43 . 2008-08-05 04:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-22 14:43 . 2008-08-05 04:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-16 12:27 . 2008-10-16 12:27 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-10-14 16:09 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 16:09 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 16:09 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-14 16:09 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-14 16:09 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-14 16:09 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 21:19 70,144 ----a-w c:\windows\System32\kdlbv.exe
2008-11-09 21:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-09 19:53 --------- d-----w c:\programdata\avg7
2008-11-08 17:49 --------- d-----w c:\programdata\Roxio
2008-11-08 16:03 --------- d-----w c:\users\kibby\AppData\Roaming\foobar2000
2008-11-06 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Ericom
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-19 16:13 --------- d-----w c:\programdata\DVD Shrink
2008-10-15 07:12 --------- d-----w c:\program files\Windows Mail
2008-10-15 07:02 --------- d-----w c:\programdata\Microsoft Help
2008-10-15 00:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 00:13 --------- d-----w c:\program files\Hewlett-Packard
2008-10-15 00:11 --------- d-----w c:\users\kibby\AppData\Roaming\Hewlett-Packard
2008-10-09 15:56 --------- d-----w c:\program files\foobar2000
2008-10-07 15:48 --------- d-----w c:\programdata\Viewpoint
2008-10-07 15:48 --------- d-----w c:\program files\TotalAudioConverter
2008-10-07 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Softplicity
2008-10-06 17:24 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 17:24 --------- d-----w c:\program files\iTunes
2008-10-06 17:24 --------- d-----w c:\program files\iPod
2008-10-06 17:17 --------- d-----w c:\program files\Bonjour
2008-10-06 00:21 --------- d-----w c:\program files\Xvid
2008-10-04 02:34 --------- d-----w c:\users\kibby\AppData\Roaming\.BitTornado
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-25 21:54 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-23 18:49 --------- d-----w c:\program files\QuickTime
2008-09-23 17:15 --------- d-----w c:\program files\iTunes(79)
2008-09-23 17:15 --------- d-----w c:\program files\iPod(78)
2008-09-23 17:13 --------- d-----w c:\program files\QuickTime(81)
2008-09-23 17:13 --------- d-----w c:\program files\Common Files\Apple
2008-09-23 17:08 --------- d-----w c:\program files\Bonjour(0)
2008-09-20 20:20 --------- d-----w c:\programdata\NVIDIA
2008-09-20 07:27 174 --sha-w c:\program files\desktop.ini
2008-09-20 07:18 --------- d-----w c:\program files\Windows Sidebar
2008-09-20 07:18 --------- d-----w c:\program files\Windows Photo Gallery
2008-09-20 07:18 --------- d-----w c:\program files\Windows Journal
2008-09-20 07:18 --------- d-----w c:\program files\Windows Defender
2008-09-20 07:18 --------- d-----w c:\program files\Windows Collaboration
2008-09-20 07:18 --------- d-----w c:\program files\Windows Calendar
2008-09-20 02:35 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-20 02:35 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-04 02:10 27,335 ----a-w c:\users\kibby\AppData\Roaming\nvModes.dat
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-07-15 13:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-10_ 8.50.16.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-10 03:05:41 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-10 21:22:40 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-11-10 03:05:41 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-11-10 21:22:40 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-11-10 03:07:12 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-11-10 21:24:13 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-11-10 03:07:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-11-10 21:24:12 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-10 21:15:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-10 13:38:42 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-10 21:15:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-10 21:15:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-10 03:09:09 7,868 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
+ 2008-11-10 21:24:43 7,884 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
- 2008-11-10 03:09:09 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-10 21:24:42 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-10 02:48:59 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-11-10 21:21:32 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-10 03:09:08 51,008 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-10 21:24:41 51,152 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-14 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 579584]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 451896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-12-11 291760]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 82864]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-24 219136]
c:\users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk - c:\users\kibby\AppData\Local\Ericom\PowerTerm WebConnect 5.6\sbs.mcbridals.com\PtAgent.exe [2008-05-27 2295112]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-11-24 16:25 9216 c:\windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B3911568-681C-4786-BEA2-E6C5845AE21D}"= TCP:67:DHCP Discovery Service
"{A4A82682-D2F8-47D0-BA7D-239C57EE3C99}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{C22ECE1F-A57B-4AA5-8459-3F5D9DAFD0F6}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"TCP Query User{658363F6-C46D-4DEA-A707-8F6A739334FF}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{16D93087-EDDD-42AA-A9AE-76AC7F8A44B4}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{4E992B70-8441-477B-A303-B0B3751C076A}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= UDP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"UDP Query User{3C8057C6-6009-4997-B2C6-A0D03238DEFD}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= TCP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"{9329196A-CC01-403D-8277-4DB43E1DE79B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F44D4F0D-6D59-45A9-9E73-9E823E6560FF}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{35E87E62-9FD5-4B88-AB1E-AB3C003BF2EA}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{2F0B9063-922B-4CE9-B2D5-2D9D187813CD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3A09D74D-9B6D-4388-ABC9-1A95185DC5E1}"= UDP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{89436FFA-94A8-4954-88CE-15C56697B44D}"= TCP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{75E50432-A8D0-448F-BA2F-13ACE4577F40}"= UDP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{B56F5D1E-9558-416F-ADEE-977B984156A0}"= TCP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{A40A7234-AC4F-4A43-BCE8-71E8325471FF}"= UDP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"{E041AB7F-8EC4-48F2-82F0-9AF9AA318169}"= TCP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"TCP Query User{87C6CD61-B7EE-4DF5-80E6-FF2A3921022D}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= UDP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"UDP Query User{ED4534E2-12EE-415A-95C1-D6C844E881AA}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= TCP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"{A4DEA9D4-575A-4C1A-9CE3-81E72EF3CDB8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2843FA19-579D-42CB-83F7-65EAC6AC3340}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{110CD476-3F32-4ADE-8A24-6F906A3A983F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DA32CDCA-6BC8-4DBB-922E-A22A6A164564}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\system32\Drivers\avgwfp.sys [2008-06-28 53768]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdlbv.exe [2008-11-10 70144]
S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-10-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 04:45]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 16:25:06
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\users\kibby\AppData\Local\Temp\WPDNSE
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\lxcrcoms.exe
c:\program files\Vongo\VongoService.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Grisoft\AVG7\avgcc.exe
c:\program files\Vongo\Tray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2008-11-10 16:32:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 21:32:46
ComboFix2.txt 2008-11-10 13:51:10
Pre-Run: 68,808,679,424 bytes free
Post-Run: 68,690,411,520 bytes free
264 --- E O F --- 2008-11-07 23:57:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:35 PM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12217 bytes
ComboFix 08-11-09.04 - kibby 2008-11-10 16:19:14.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013 [GMT -5:00]
Running from: c:\users\kibby\Desktop\ComboFix.exe
Command switches used :: c:\users\kibby\Desktop\Nick Stuff\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\kdlbv.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.
2008-11-09 16:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 11:24 . 2008-11-09 11:24 22 --a------ C:\RPT23432
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Mon Cheri Bridals, LLC
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-05 06:34 . 2008-11-05 06:34 <DIR> d-------- c:\windows\System32\URTTEMP
2008-10-28 18:32 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 18:32 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 18:32 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-22 14:43 . 2008-08-05 04:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-22 14:43 . 2008-08-05 04:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-22 14:43 . 2008-08-05 04:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-22 14:43 . 2008-08-05 04:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-22 14:43 . 2008-08-05 04:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-16 12:27 . 2008-10-16 12:27 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-10-14 16:09 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 16:09 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 16:09 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-14 16:09 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-14 16:09 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-14 16:09 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 21:19 70,144 ----a-w c:\windows\System32\kdlbv.exe
2008-11-09 21:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-09 19:53 --------- d-----w c:\programdata\avg7
2008-11-08 17:49 --------- d-----w c:\programdata\Roxio
2008-11-08 16:03 --------- d-----w c:\users\kibby\AppData\Roaming\foobar2000
2008-11-06 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Ericom
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-19 16:13 --------- d-----w c:\programdata\DVD Shrink
2008-10-15 07:12 --------- d-----w c:\program files\Windows Mail
2008-10-15 07:02 --------- d-----w c:\programdata\Microsoft Help
2008-10-15 00:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 00:13 --------- d-----w c:\program files\Hewlett-Packard
2008-10-15 00:11 --------- d-----w c:\users\kibby\AppData\Roaming\Hewlett-Packard
2008-10-09 15:56 --------- d-----w c:\program files\foobar2000
2008-10-07 15:48 --------- d-----w c:\programdata\Viewpoint
2008-10-07 15:48 --------- d-----w c:\program files\TotalAudioConverter
2008-10-07 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Softplicity
2008-10-06 17:24 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 17:24 --------- d-----w c:\program files\iTunes
2008-10-06 17:24 --------- d-----w c:\program files\iPod
2008-10-06 17:17 --------- d-----w c:\program files\Bonjour
2008-10-06 00:21 --------- d-----w c:\program files\Xvid
2008-10-04 02:34 --------- d-----w c:\users\kibby\AppData\Roaming\.BitTornado
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-25 21:54 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-23 18:49 --------- d-----w c:\program files\QuickTime
2008-09-23 17:15 --------- d-----w c:\program files\iTunes(79)
2008-09-23 17:15 --------- d-----w c:\program files\iPod(78)
2008-09-23 17:13 --------- d-----w c:\program files\QuickTime(81)
2008-09-23 17:13 --------- d-----w c:\program files\Common Files\Apple
2008-09-23 17:08 --------- d-----w c:\program files\Bonjour(0)
2008-09-20 20:20 --------- d-----w c:\programdata\NVIDIA
2008-09-20 07:27 174 --sha-w c:\program files\desktop.ini
2008-09-20 07:18 --------- d-----w c:\program files\Windows Sidebar
2008-09-20 07:18 --------- d-----w c:\program files\Windows Photo Gallery
2008-09-20 07:18 --------- d-----w c:\program files\Windows Journal
2008-09-20 07:18 --------- d-----w c:\program files\Windows Defender
2008-09-20 07:18 --------- d-----w c:\program files\Windows Collaboration
2008-09-20 07:18 --------- d-----w c:\program files\Windows Calendar
2008-09-20 02:35 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-20 02:35 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-04 02:10 27,335 ----a-w c:\users\kibby\AppData\Roaming\nvModes.dat
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-07-15 13:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-10_ 8.50.16.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-10 03:05:41 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-10 21:22:40 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-11-10 03:05:41 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-11-10 21:22:40 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-11-10 03:07:12 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-11-10 21:24:13 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-11-10 03:07:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-11-10 21:24:12 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-10 21:15:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-10 13:38:42 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-10 21:15:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-10 21:15:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-10 03:09:09 7,868 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
+ 2008-11-10 21:24:43 7,884 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
- 2008-11-10 03:09:09 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-10 21:24:42 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-10 02:48:59 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-11-10 21:21:32 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-10 03:09:08 51,008 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-10 21:24:41 51,152 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-14 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 579584]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 451896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-12-11 291760]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 82864]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-24 219136]
c:\users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk - c:\users\kibby\AppData\Local\Ericom\PowerTerm WebConnect 5.6\sbs.mcbridals.com\PtAgent.exe [2008-05-27 2295112]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-11-24 16:25 9216 c:\windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B3911568-681C-4786-BEA2-E6C5845AE21D}"= TCP:67:DHCP Discovery Service
"{A4A82682-D2F8-47D0-BA7D-239C57EE3C99}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{C22ECE1F-A57B-4AA5-8459-3F5D9DAFD0F6}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"TCP Query User{658363F6-C46D-4DEA-A707-8F6A739334FF}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{16D93087-EDDD-42AA-A9AE-76AC7F8A44B4}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{4E992B70-8441-477B-A303-B0B3751C076A}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= UDP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"UDP Query User{3C8057C6-6009-4997-B2C6-A0D03238DEFD}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= TCP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"{9329196A-CC01-403D-8277-4DB43E1DE79B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F44D4F0D-6D59-45A9-9E73-9E823E6560FF}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{35E87E62-9FD5-4B88-AB1E-AB3C003BF2EA}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{2F0B9063-922B-4CE9-B2D5-2D9D187813CD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3A09D74D-9B6D-4388-ABC9-1A95185DC5E1}"= UDP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{89436FFA-94A8-4954-88CE-15C56697B44D}"= TCP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{75E50432-A8D0-448F-BA2F-13ACE4577F40}"= UDP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{B56F5D1E-9558-416F-ADEE-977B984156A0}"= TCP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{A40A7234-AC4F-4A43-BCE8-71E8325471FF}"= UDP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"{E041AB7F-8EC4-48F2-82F0-9AF9AA318169}"= TCP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"TCP Query User{87C6CD61-B7EE-4DF5-80E6-FF2A3921022D}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= UDP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"UDP Query User{ED4534E2-12EE-415A-95C1-D6C844E881AA}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= TCP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"{A4DEA9D4-575A-4C1A-9CE3-81E72EF3CDB8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2843FA19-579D-42CB-83F7-65EAC6AC3340}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{110CD476-3F32-4ADE-8A24-6F906A3A983F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DA32CDCA-6BC8-4DBB-922E-A22A6A164564}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\system32\Drivers\avgwfp.sys [2008-06-28 53768]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdlbv.exe [2008-11-10 70144]
S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-10-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 04:45]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 16:25:06
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\users\kibby\AppData\Local\Temp\WPDNSE
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\lxcrcoms.exe
c:\program files\Vongo\VongoService.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Grisoft\AVG7\avgcc.exe
c:\program files\Vongo\Tray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2008-11-10 16:32:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 21:32:46
ComboFix2.txt 2008-11-10 13:51:10
Pre-Run: 68,808,679,424 bytes free
Post-Run: 68,690,411,520 bytes free
264 --- E O F --- 2008-11-07 23:57:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:35 PM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12217 bytes
There are still signs of it. 
This really is a stubborn one, but we'll get it.
Slight addition to the script I gave you to run before :
* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Do a Windows Search for it(kdlbv.exe) after you run ComboFix and delete any instances of it that might come up. How is it running now please?
Thanks,
tea
This really is a stubborn one, but we'll get it.Slight addition to the script I gave you to run before :
* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:
QUOTE
KILLALL::
File::
c:\windows\system32\kdlbv.exe
File::
c:\windows\system32\kdlbv.exe
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Do a Windows Search for it(kdlbv.exe) after you run ComboFix and delete any instances of it that might come up. How is it running now please?
Thanks,
tea
Ok Tea,
You are good!...thank you so much for your help! I searched for kdlbv.exe and it appears its now gone...nice job.
I did notice that this line of the registry still appears on the log but it says the file has been deleted:
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe (file missing) Not sure if that's enough.
You're the boss!
Here are the the logs.
ComboFix 08-11-09.04 - kibby 2008-11-10 21:30:05.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1019 [GMT -5:00]
Running from: c:\users\kibby\Desktop\Nick Stuff\ComboFix.exe
Command switches used :: c:\users\kibby\Desktop\Nick Stuff\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\kdlbv.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\kdlbv.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
2008-11-09 16:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 11:24 . 2008-11-09 11:24 22 --a------ C:\RPT23432
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Mon Cheri Bridals, LLC
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-05 06:34 . 2008-11-05 06:34 <DIR> d-------- c:\windows\System32\URTTEMP
2008-10-28 18:32 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 18:32 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 18:32 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-22 14:43 . 2008-08-05 04:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-22 14:43 . 2008-08-05 04:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-22 14:43 . 2008-08-05 04:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-22 14:43 . 2008-08-05 04:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-22 14:43 . 2008-08-05 04:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-16 12:27 . 2008-10-16 12:27 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-10-14 16:09 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 16:09 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 16:09 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-14 16:09 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-14 16:09 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-14 16:09 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-09 19:53 --------- d-----w c:\programdata\avg7
2008-11-08 17:49 --------- d-----w c:\programdata\Roxio
2008-11-08 16:03 --------- d-----w c:\users\kibby\AppData\Roaming\foobar2000
2008-11-06 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Ericom
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-19 16:13 --------- d-----w c:\programdata\DVD Shrink
2008-10-15 07:12 --------- d-----w c:\program files\Windows Mail
2008-10-15 07:02 --------- d-----w c:\programdata\Microsoft Help
2008-10-15 00:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 00:13 --------- d-----w c:\program files\Hewlett-Packard
2008-10-15 00:11 --------- d-----w c:\users\kibby\AppData\Roaming\Hewlett-Packard
2008-10-09 15:56 --------- d-----w c:\program files\foobar2000
2008-10-07 15:48 --------- d-----w c:\programdata\Viewpoint
2008-10-07 15:48 --------- d-----w c:\program files\TotalAudioConverter
2008-10-07 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Softplicity
2008-10-06 17:24 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 17:24 --------- d-----w c:\program files\iTunes
2008-10-06 17:24 --------- d-----w c:\program files\iPod
2008-10-06 17:17 --------- d-----w c:\program files\Bonjour
2008-10-06 00:21 --------- d-----w c:\program files\Xvid
2008-10-04 02:34 --------- d-----w c:\users\kibby\AppData\Roaming\.BitTornado
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-25 21:54 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-23 18:49 --------- d-----w c:\program files\QuickTime
2008-09-23 17:15 --------- d-----w c:\program files\iTunes(79)
2008-09-23 17:15 --------- d-----w c:\program files\iPod(78)
2008-09-23 17:13 --------- d-----w c:\program files\QuickTime(81)
2008-09-23 17:13 --------- d-----w c:\program files\Common Files\Apple
2008-09-23 17:08 --------- d-----w c:\program files\Bonjour(0)
2008-09-20 20:20 --------- d-----w c:\programdata\NVIDIA
2008-09-20 07:27 174 --sha-w c:\program files\desktop.ini
2008-09-20 07:18 --------- d-----w c:\program files\Windows Sidebar
2008-09-20 07:18 --------- d-----w c:\program files\Windows Photo Gallery
2008-09-20 07:18 --------- d-----w c:\program files\Windows Journal
2008-09-20 07:18 --------- d-----w c:\program files\Windows Defender
2008-09-20 07:18 --------- d-----w c:\program files\Windows Collaboration
2008-09-20 07:18 --------- d-----w c:\program files\Windows Calendar
2008-09-20 02:35 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-20 02:35 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-04 02:10 27,335 ----a-w c:\users\kibby\AppData\Roaming\nvModes.dat
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-07-15 13:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-10_ 8.50.16.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-10 03:07:12 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-11-11 02:33:51 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-11-10 03:07:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-11-11 02:33:51 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-11 02:25:55 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-10 13:38:42 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-11 02:25:55 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-11 02:25:55 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-10 03:10:39 106,220 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-10 21:30:59 106,220 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-10 03:10:39 607,356 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-10 21:30:59 607,356 ----a-w c:\windows\System32\perfh009.dat
- 2008-11-10 03:09:09 7,868 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
+ 2008-11-11 02:35:26 8,130 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
- 2008-11-10 03:09:09 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-11 02:35:26 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-10 02:48:59 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-11-10 21:21:32 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-10 03:09:08 51,008 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-11 02:35:20 51,438 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-14 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 579584]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 451896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-12-11 291760]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 82864]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-24 219136]
c:\users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk - c:\users\kibby\AppData\Local\Ericom\PowerTerm WebConnect 5.6\sbs.mcbridals.com\PtAgent.exe [2008-05-27 2295112]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-11-24 16:25 9216 c:\windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B3911568-681C-4786-BEA2-E6C5845AE21D}"= TCP:67:DHCP Discovery Service
"{A4A82682-D2F8-47D0-BA7D-239C57EE3C99}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{C22ECE1F-A57B-4AA5-8459-3F5D9DAFD0F6}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"TCP Query User{658363F6-C46D-4DEA-A707-8F6A739334FF}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{16D93087-EDDD-42AA-A9AE-76AC7F8A44B4}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{4E992B70-8441-477B-A303-B0B3751C076A}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= UDP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"UDP Query User{3C8057C6-6009-4997-B2C6-A0D03238DEFD}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= TCP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"{9329196A-CC01-403D-8277-4DB43E1DE79B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F44D4F0D-6D59-45A9-9E73-9E823E6560FF}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{35E87E62-9FD5-4B88-AB1E-AB3C003BF2EA}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{2F0B9063-922B-4CE9-B2D5-2D9D187813CD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3A09D74D-9B6D-4388-ABC9-1A95185DC5E1}"= UDP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{89436FFA-94A8-4954-88CE-15C56697B44D}"= TCP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{75E50432-A8D0-448F-BA2F-13ACE4577F40}"= UDP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{B56F5D1E-9558-416F-ADEE-977B984156A0}"= TCP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{A40A7234-AC4F-4A43-BCE8-71E8325471FF}"= UDP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"{E041AB7F-8EC4-48F2-82F0-9AF9AA318169}"= TCP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"TCP Query User{87C6CD61-B7EE-4DF5-80E6-FF2A3921022D}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= UDP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"UDP Query User{ED4534E2-12EE-415A-95C1-D6C844E881AA}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= TCP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"{A4DEA9D4-575A-4C1A-9CE3-81E72EF3CDB8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2843FA19-579D-42CB-83F7-65EAC6AC3340}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{110CD476-3F32-4ADE-8A24-6F906A3A983F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DA32CDCA-6BC8-4DBB-922E-A22A6A164564}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\system32\Drivers\avgwfp.sys [2008-06-28 53768]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdlbv.exe [ ]
S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-10-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 04:45]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 21:34:18
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\lxcrcoms.exe
c:\program files\Vongo\VongoService.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\Grisoft\AVG7\avgcc.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Vongo\Tray.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-11-10 21:43:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 02:43:01
ComboFix2.txt 2008-11-10 21:32:58
ComboFix3.txt 2008-11-10 13:51:10
Pre-Run: 68,444,319,744 bytes free
Post-Run: 68,342,071,296 bytes free
270 --- E O F --- 2008-11-07 23:57:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:56 PM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12183 bytes
You are good!...thank you so much for your help! I searched for kdlbv.exe and it appears its now gone...nice job.
I did notice that this line of the registry still appears on the log but it says the file has been deleted:
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe (file missing) Not sure if that's enough.
You're the boss!
Here are the the logs.
ComboFix 08-11-09.04 - kibby 2008-11-10 21:30:05.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1019 [GMT -5:00]
Running from: c:\users\kibby\Desktop\Nick Stuff\ComboFix.exe
Command switches used :: c:\users\kibby\Desktop\Nick Stuff\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\kdlbv.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\kdlbv.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
2008-11-09 16:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 11:24 . 2008-11-09 11:24 22 --a------ C:\RPT23432
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Mon Cheri Bridals, LLC
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-05 06:40 . 2008-11-05 06:40 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-05 06:34 . 2008-11-05 06:34 <DIR> d-------- c:\windows\System32\URTTEMP
2008-10-28 18:32 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 18:32 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 18:32 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-22 14:43 . 2008-08-05 04:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-22 14:43 . 2008-08-05 04:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-22 14:43 . 2008-08-05 04:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-22 14:43 . 2008-08-05 04:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-22 14:43 . 2008-08-05 04:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-16 12:27 . 2008-10-16 12:27 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-10-14 16:09 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 16:09 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 16:09 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-14 16:09 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-14 16:09 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-14 16:09 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-09 19:53 --------- d-----w c:\programdata\avg7
2008-11-08 17:49 --------- d-----w c:\programdata\Roxio
2008-11-08 16:03 --------- d-----w c:\users\kibby\AppData\Roaming\foobar2000
2008-11-06 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Ericom
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-19 16:13 --------- d-----w c:\programdata\DVD Shrink
2008-10-15 07:12 --------- d-----w c:\program files\Windows Mail
2008-10-15 07:02 --------- d-----w c:\programdata\Microsoft Help
2008-10-15 00:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 00:13 --------- d-----w c:\program files\Hewlett-Packard
2008-10-15 00:11 --------- d-----w c:\users\kibby\AppData\Roaming\Hewlett-Packard
2008-10-09 15:56 --------- d-----w c:\program files\foobar2000
2008-10-07 15:48 --------- d-----w c:\programdata\Viewpoint
2008-10-07 15:48 --------- d-----w c:\program files\TotalAudioConverter
2008-10-07 15:44 --------- d-----w c:\users\kibby\AppData\Roaming\Softplicity
2008-10-06 17:24 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 17:24 --------- d-----w c:\program files\iTunes
2008-10-06 17:24 --------- d-----w c:\program files\iPod
2008-10-06 17:17 --------- d-----w c:\program files\Bonjour
2008-10-06 00:21 --------- d-----w c:\program files\Xvid
2008-10-04 02:34 --------- d-----w c:\users\kibby\AppData\Roaming\.BitTornado
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-25 21:54 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-23 18:49 --------- d-----w c:\program files\QuickTime
2008-09-23 17:15 --------- d-----w c:\program files\iTunes(79)
2008-09-23 17:15 --------- d-----w c:\program files\iPod(78)
2008-09-23 17:13 --------- d-----w c:\program files\QuickTime(81)
2008-09-23 17:13 --------- d-----w c:\program files\Common Files\Apple
2008-09-23 17:08 --------- d-----w c:\program files\Bonjour(0)
2008-09-20 20:20 --------- d-----w c:\programdata\NVIDIA
2008-09-20 07:27 174 --sha-w c:\program files\desktop.ini
2008-09-20 07:18 --------- d-----w c:\program files\Windows Sidebar
2008-09-20 07:18 --------- d-----w c:\program files\Windows Photo Gallery
2008-09-20 07:18 --------- d-----w c:\program files\Windows Journal
2008-09-20 07:18 --------- d-----w c:\program files\Windows Defender
2008-09-20 07:18 --------- d-----w c:\program files\Windows Collaboration
2008-09-20 07:18 --------- d-----w c:\program files\Windows Calendar
2008-09-20 02:35 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-20 02:35 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-04 02:10 27,335 ----a-w c:\users\kibby\AppData\Roaming\nvModes.dat
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-07-15 13:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-07-15 13:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-10_ 8.50.16.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-10 03:07:12 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-11-11 02:33:51 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-11-10 03:07:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-11-11 02:33:51 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-11 02:25:55 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-10 13:38:42 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-11 02:25:55 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-10 13:38:42 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-11 02:25:55 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-10 03:10:39 106,220 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-10 21:30:59 106,220 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-10 03:10:39 607,356 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-10 21:30:59 607,356 ----a-w c:\windows\System32\perfh009.dat
- 2008-11-10 03:09:09 7,868 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
+ 2008-11-11 02:35:26 8,130 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3896843634-2702929338-3619765367-1000_UserData.bin
- 2008-11-10 03:09:09 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-11 02:35:26 68,210 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-10 02:48:59 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-11-10 21:21:32 2,898 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-10 03:09:08 51,008 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-11 02:35:20 51,438 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-14 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 579584]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 451896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-12-11 291760]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-12-11 82864]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-24 219136]
c:\users\kibby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk - c:\users\kibby\AppData\Local\Ericom\PowerTerm WebConnect 5.6\sbs.mcbridals.com\PtAgent.exe [2008-05-27 2295112]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-08-04 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-11-24 16:25 9216 c:\windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DDB79537-BE1B-49D8-9E35-865252F6818E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62DAD364-9054-4450-8B64-1E97F59A49D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BC58A37-88F1-48D7-8BE5-98236F326965}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{977244DC-0C6F-4602-9E5D-F53F4137696A}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F238082B-3978-480D-B122-CF2A1C1231A2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B3911568-681C-4786-BEA2-E6C5845AE21D}"= TCP:67:DHCP Discovery Service
"{A4A82682-D2F8-47D0-BA7D-239C57EE3C99}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{C22ECE1F-A57B-4AA5-8459-3F5D9DAFD0F6}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"TCP Query User{658363F6-C46D-4DEA-A707-8F6A739334FF}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{16D93087-EDDD-42AA-A9AE-76AC7F8A44B4}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{4E992B70-8441-477B-A303-B0B3751C076A}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= UDP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"UDP Query User{3C8057C6-6009-4997-B2C6-A0D03238DEFD}c:\\users\\kibby\\appdata\\local\\ericom\\powerterm webconnect 5.6\\sbs.mcbridals.com\\ptermx.exe"= TCP:c:\users\kibby\appdata\local\ericom\powerterm webconnect 5.6\sbs.mcbridals.com\ptermx.exe:ptermx.exe
"{9329196A-CC01-403D-8277-4DB43E1DE79B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{F44D4F0D-6D59-45A9-9E73-9E823E6560FF}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{35E87E62-9FD5-4B88-AB1E-AB3C003BF2EA}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{2F0B9063-922B-4CE9-B2D5-2D9D187813CD}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3A09D74D-9B6D-4388-ABC9-1A95185DC5E1}"= UDP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{89436FFA-94A8-4954-88CE-15C56697B44D}"= TCP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{75E50432-A8D0-448F-BA2F-13ACE4577F40}"= UDP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{B56F5D1E-9558-416F-ADEE-977B984156A0}"= TCP:c:\program files\Lexmark 2400 Series\lxcrmon.exe:Device Monitor
"{A40A7234-AC4F-4A43-BCE8-71E8325471FF}"= UDP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"{E041AB7F-8EC4-48F2-82F0-9AF9AA318169}"= TCP:c:\program files\Lexmark 2400 Series\LXCRaiox.exe:All In One Center
"TCP Query User{87C6CD61-B7EE-4DF5-80E6-FF2A3921022D}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= UDP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"UDP Query User{ED4534E2-12EE-415A-95C1-D6C844E881AA}c:\\users\\kibby\\desktop\\nick stuff\\bittornado\\btdownloadgui.exe"= TCP:c:\users\kibby\desktop\nick stuff\bittornado\btdownloadgui.exe:btdownloadgui.exe
"{A4DEA9D4-575A-4C1A-9CE3-81E72EF3CDB8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2843FA19-579D-42CB-83F7-65EAC6AC3340}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{110CD476-3F32-4ADE-8A24-6F906A3A983F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DA32CDCA-6BC8-4DBB-922E-A22A6A164564}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\system32\Drivers\avgwfp.sys [2008-06-28 53768]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdlbv.exe [ ]
S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-10-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 04:45]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 21:34:18
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\lxcrcoms.exe
c:\program files\Vongo\VongoService.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\Grisoft\AVG7\avgcc.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Vongo\Tray.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-11-10 21:43:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 02:43:01
ComboFix2.txt 2008-11-10 21:32:58
ComboFix3.txt 2008-11-10 13:51:10
Pre-Run: 68,444,319,744 bytes free
Post-Run: 68,342,071,296 bytes free
270 --- E O F --- 2008-11-07 23:57:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:56 PM, on 11/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdlbv.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12183 bytes
Hello,
Excellent. Run HijackThis and put a check next to that entry, click Fix checked, then reboot. It's just an orphan now, but I bet you don't want to see it any more than I do. 
Let me know if it won't go.....we may have to go after the orphaned registry key.
tea
Excellent.
Run HijackThis and put a check next to that entry, click Fix checked, then reboot. It's just an orphan now, but I bet you don't want to see it any more than I do. Let me know if it won't go.....we may have to go after the orphaned registry key.
tea
Tea,
Nice job! It appears to be gone. I guess that's it unless you see anything else. You are awesome! Here's the hijack log run after your last instruction was carried out.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:18 AM, on 11/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12170 bytes
Nice job! It appears to be gone. I guess that's it unless you see anything else. You are awesome! Here's the hijack log run after your last instruction was carried out.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:18 AM, on 11/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Vongo\Tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Mon Cheri Bridals. LLC - PowerTerm WebConnect Application Zone by Ericom.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://sbs.mcbridals.com:88/webconnect5.6/...tdownloader.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 12170 bytes
Hello,
Looks clean to me. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.
I think the time has come for us to part ways. Update your AVG to 8......7 is outdated now.
If there are no further problems:
Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.
Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.
You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
Please make sure to run your antivirus software regularly, and to keep it up-to-date.
Please also read Tony Klein's excellent article: How I got Infected in the First Place
Take care!
tea
Looks clean to me.
Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.I think the time has come for us to part ways.
Update your AVG to 8......7 is outdated now. If there are no further problems:
Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.
Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.
You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
Please make sure to run your antivirus software regularly, and to keep it up-to-date.
Please also read Tony Klein's excellent article: How I got Infected in the First Place
Take care!
tea
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.