Google Links Hijack...

DomBray · Joined: Jun 01, 2008 Posts: 12

Hi, I have a problem where most search results in google link to odd sites, mostly offering domain names relevant to my search term or other search engines and some such. If I cut and paste the link it works fine. Reading other logs, I found that disabling third party cookies prevented the problem, so I then went and tried to delete all my unwanted cookies so I can leave my IE running normally and the problem persists.

While disabling third party cookies works to solve the problem, it is obviously only masking rather than fixing/solving the problem.

here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:53, on 02/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
D:\Dom's data\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] C:\Program Files\HP\QuickPlay\QPService.exe
O4 - HKLM\..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [calc.exe] C:\Users\DOMINI~1\AppData\Local\Temp\calc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Startup Manager] C:\Users\Dominic Bray\AppData\Roaming\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdetx.exe

--
End of file - 12031 bytes

Thanks for any help!

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [calc.exe] C:\Users\DOMINI~1\AppData\Local\Temp\calc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdetx.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Windows\system32\kdetx.exe

1. Download combofix at http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe or http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

DomBray · Joined: Jun 01, 2008 Posts: 12

I am on my other halfs, computer... sigh...

I did all that you asked and ran combofix, by the way the first link you gave returend a 0 byte file, well the machine did what i guess it should and then restarted, spy-bot warned me it was doing lots of stuff to my registry etc but i allowed it too, now on restart it runs the combofix but it is stuck on the screen with jus tthis message:

"The system cannot find message text for message number 0x8 in the messafe file f" breaks on to a new line "or system"

task manager show that the program is doing nothing and I've been waiting for half an hour or so, as there were warnings about how much it could mess up my system I dare not end the task... it certainly doesn't look like it will produce a log for me...

HELP!

DomBray · Joined: Jun 01, 2008 Posts: 12

Ok so I ended the combofix task, as it had done nothing for a very long time (and I was very careful not to click it it's box as warned.) and restarted.

I did a search on google and clicked on a link and I'm still being hijacked...

Having ended the task on start up, I than ran combofix again, and this time it seemed to finish and created a log. It is included here along with a rerun hijackthis log.

If you want me to try combo fix again from stratch then please let me know...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23:51, on 02/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
D:\Dom's data\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] C:\Program Files\HP\QuickPlay\QPService.exe
O4 - HKLM\..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Startup Manager] C:\Users\Dominic Bray\AppData\Roaming\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdetx.exe

--
End of file - 11805 bytes

Combofix:

ComboFix 08-06-01.6 - Dominic Bray 2008-06-02 19:39:31.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1305 [GMT -4:00]
Running from: C:\Users\Dominic Bray\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Windows\Downloaded Program Files\setup.inf
C:\Windows\setup.exe
C:\Windows\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 23:34 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Skype
2008-06-02 22:47 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\skypePM
2008-06-02 14:33 28,000 ----a-w C:\Users\Dominic Bray\AppData\Roaming\nvModes.dat
2008-06-01 12:12 --------- d-----w C:\Program Files\Browser Hijack Recover
2008-06-01 02:46 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 02:45 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Yahoo!
2008-06-01 02:45 --------- d-----w C:\PROGRA~2\Yahoo!
2008-06-01 02:44 --------- d-----w C:\Program Files\SpywareGuard
2008-06-01 02:36 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy
2008-06-01 02:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-01 02:13 --------- d-----w C:\Program Files\Uniblue
2008-06-01 01:51 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-15 08:28 --------- d-----w C:\Program Files\FreeCodec
2008-05-14 13:00 --------- d-----w C:\Program Files\Windows Mail
2008-05-14 13:00 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-05-12 22:39 --------- d-----w C:\Program Files\Java
2008-04-24 09:59 --------- d-----w C:\Program Files\Apple Software Update
2008-04-16 18:25 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2008-04-14 08:06 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\ZoomBrowser EX
2008-04-14 08:05 --------- d-----w C:\PROGRA~2\ZoomBrowser
2008-04-03 01:49 --------- d-----w C:\Program Files\iTunes
2008-04-03 01:49 --------- d-----w C:\Program Files\iPod
2008-04-03 01:47 --------- d-----w C:\Program Files\QuickTime
2008-03-22 14:22 691,545 ----a-w C:\Windows\unins001.exe
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-03-05 20:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-01-11 09:16 27,525 ----a-w C:\Users\Tiffany\AppData\Roaming\nvModes.dat
2007-08-30 15:20 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Startup Manager"="C:\Users\Dominic Bray\AppData\Roaming\Systweak\ASO 2\smstartUp manager.exe" [ ]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 01:14 833072]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 16:44 178712]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-28 10:48 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-28 10:55 81920]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 23:34 634880]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 13:50 4390912 C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 21:11 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 14:38 159744]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-28 10:58 86016]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 16:18 472776]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-09-19 18:30 66816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CognizanceTS"="C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 14:12 17920]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 19:12 317128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-03-20 18:23 1773568 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FD8CC398-C3F7-41BE-98A5-C6A62BB10958}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{13C9E86B-54AE-4A87-A2EF-44ED2B50EF5F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{220513BC-B2BE-4FA0-BAC9-60F5F7F74726}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{5A90CF99-4F43-41A7-BD63-833D156B1E88}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{95383F02-9BF8-4FFB-9917-671A202B8E80}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CD4068D7-B5D6-4E40-BF0F-A5E33A97304B}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{94F144FD-51FF-47FC-9888-47B9EB6EBB2C}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D4E92348-BAF7-45C0-8F15-C60F4331067A}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F03EBEA6-16B0-45AC-BFB6-B06BA544D646}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{463360B5-9168-4A8C-99C2-D408F72A831A}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D564992B-5CA3-4CFE-89DE-F51A05383AA1}"= UDP:C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:Sid Meier's Railroads!
"{44E83821-173E-4349-87AF-789E3CEEF7B0}"= TCP:C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:Sid Meier's Railroads!
"{D69BE963-543F-4842-ACA1-3ADD37937BE6}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{943D345A-DDD2-4608-A522-89DB7DE7456C}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E0B96FE8-16AA-448D-B25A-6EAB65C651E3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{7D1CD1B9-94A9-4A2B-8098-BFB83748D6E3}"= UDP:C:\Program Files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{DCE2976C-173C-4A22-AD67-ED1B57A658B1}"= TCP:C:\Program Files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"TCP Query User{F153CD47-A2F5-4CC3-AA91-482B08DA73FA}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{CF2C1141-834C-4036-9EC9-F052A1BBDBFB}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{79C751E4-E1CB-4897-860B-F405E576AEA4}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{0BABAE05-D130-4304-AD15-7B7869A8F7D4}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{52169A6C-7525-4357-946B-93B90A54953F}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5CA65638-723C-4A78-864C-333C28B79467}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1862F230-11F0-492F-AD3B-3B57C53C6CBE}"= UDP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{3EFF0819-957F-4CDC-8A55-2E7A647A54DB}"= TCP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{3DA81763-FF80-46C1-9A66-8C6D1D8D902C}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D5FCCFCF-9F0D-4D5B-AFB8-4EA2383874FE}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D2259ED0-5E0A-4B97-8EF4-C18BCD39D042}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{80659C04-5504-43AD-83F8-2FAB71225C55}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{40126194-9F71-4254-A3FE-F799B7446AD3}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{C4707A27-888B-43A5-8F2A-935C2E589151}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{E0C2ECBA-811F-42CB-96B8-D7218E49BBF8}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{28A6D1A8-CEE3-46C8-AB0E-FB9F6366073A}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{F2340717-D365-461C-9B04-2A90A4D42A60}D:\\program files\\defcon\\defcon.exe"= UDP:D:\program files\defcon\defcon.exe:Defcon
"UDP Query User{D7B0C48C-EC1C-460B-95A2-C28BE192BD80}D:\\program files\\defcon\\defcon.exe"= TCP:D:\program files\defcon\defcon.exe:Defcon
"TCP Query User{603D0C20-4068-4FB0-BB0D-492FB16A42F4}D:\\program files\\defcon\\defcon.exe"= UDP:D:\program files\defcon\defcon.exe:Defcon
"UDP Query User{618DC0E1-0469-4275-993C-3882198618EF}D:\\program files\\defcon\\defcon.exe"= TCP:D:\program files\defcon\defcon.exe:Defcon
"{DC07D727-0911-4A80-A530-02843E182319}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{AD3276C4-5A26-4AF4-9D1F-BD735216A01A}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"TCP Query User{B93DE00F-44D7-4B30-8017-37E54A60F30B}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{893BBCD1-AF16-4314-8A43-60B19185FBF6}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{25C89A67-3248-446B-B746-62066170CD80}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{73D9848B-CF7D-4C53-8E3F-5037C902DFDE}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{AFD09D1D-B715-411B-A3B0-5D5CD4577EA9}"= UDP:D:\Program Files\Time of Defiance (2006)\Time of Defiance.exe:Run Time of Defiance
"{CC6D8ED8-A93D-41B6-B95F-D8F7024B66A8}"= TCP:D:\Program Files\Time of Defiance (2006)\Time of Defiance.exe:Run Time of Defiance
"{0C4AB8DD-F10A-43B5-B95C-E831DFB3701A}"= UDP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCEUpdateClient.exe:NiCEUpdateClient.exe
"{43A8482B-056C-45F4-9572-0057D4DCF119}"= TCP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCEUpdateClient.exe:NiCEUpdateClient.exe
"{1DF76749-A93B-4397-B837-E075FE9CD46E}"= UDP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCELauncher.exe:NiCELauncher.exe
"{0A6CF7EA-1913-476D-ACEB-DAE9F9860668}"= TCP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCELauncher.exe:NiCELauncher.exe
"TCP Query User{6D3C8158-D4AF-4146-9E33-4AF0E07F9E1E}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= UDP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"UDP Query User{C38CFE04-51F1-4C34-BDF6-D3DA749832A9}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= TCP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"TCP Query User{092CFB1E-2040-4DA9-B79D-CC445B72E2B9}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= UDP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"UDP Query User{1F7A87CC-CA9D-46AB-8B46-AEA2AB0AA7D4}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= TCP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"{84886F14-0DFF-4ED6-92E7-5C18073AD027}"= UDP:C:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"{B202A427-82B3-43E4-9C9A-964D52C1EF1B}"= TCP:C:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"TCP Query User{6361CEB8-55A1-4604-BF5B-E68A0C16E1ED}C:\\program files\\firefly studios\\stronghold 2\\stronghold2.exe"= UDP:C:\program files\firefly studios\stronghold 2\stronghold2.exe:Stronghold 2
"UDP Query User{6E667EA1-A8EB-4CD3-A745-DC83BFBCAB5C}C:\\program files\\firefly studios\\stronghold 2\\stronghold2.exe"= TCP:C:\program files\firefly studios\stronghold 2\stronghold2.exe:Stronghold 2
"{1C0CD43D-2277-4B71-B8BE-3A06D2886E73}"= UDP:6667:strongholdtcp1
"{9B9667C0-180E-4D12-B79C-888E650C15A6}"= UDP:28910:strongholdtcp2
"{55E5A07A-0355-45FC-9DAA-1676424A1E7C}"= TCP:19966:strongholdudp
"{D12E08A7-B4AA-41A8-B89D-6B7CB018C0A7}"= TCP:13139:stongholdudp2
"{DCB16D7E-69E2-4D23-946C-B72355F6B250}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5FE2B4A1-DC14-4EDC-8B39-B12FB984B07D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{E3CBB4A4-0063-439C-B6FB-748A14528CAF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7ADCED3D-5EE8-49CA-8D3B-538FD4A1A3B7}"= UDP:D:\Program Files\Pollux Gamelabs\Lost Empire - Immortals\LostEmpire.exe:Lost Empire - Immortals
"{93C76CB9-8C04-40D6-89DA-D32AB5B09138}"= TCP:D:\Program Files\Pollux Gamelabs\Lost Empire - Immortals\LostEmpire.exe:Lost Empire - Immortals
"{27098C1E-0591-4265-A9B0-135BFEE41034}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1B473951-6BFE-4FFF-982A-4ABBAE93E7F8}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2006-11-02 05:45]
R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2006-11-02 05:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 Windows Tribute Service;Windows Tribute Service;C:\Windows\system32\kdetx.exe [2007-11-15 03:51]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 03:30]
S3 hcw85bda;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2006-12-01 18:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{065802b6-5095-11dc-940e-806e6f6e6963}]
\shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32225249-c62d-11dc-ada8-001b24637f40}]
\shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a970b7-a26b-11dc-ae27-001b24637f40}]
\shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-21 15:28:04 C:\Windows\Tasks\HPCeeScheduleForDominic Bray.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe$HPCeeScheduleForDominic Bray (null)
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 19:41:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Windows\TEMP\TMP000000643E5899C494E7AA16 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-06-02 19:42:31
ComboFix-quarantined-files.txt 2008-06-02 23:42:24

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

230 --- E O F --- 2008-05-31 03:46:08

Thank you again for your help!

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

Please disable Spybot's TeaTimer program when doing the fixes. It will interfere with it and cause problems. Sorry I forgot to mention that earlier Sad

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install. Make sure Run fixit is checked and click Finish. The fix will begin. Follow the prompts. You will be asked to reboot your computer. Your system may take longer than usual to load - this is normal.

Wait until your desktop loads. A notepad file called report.txt should open up. Post that log here.

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

DomBray · Joined: Jun 01, 2008 Posts: 12

Ok so here goes...

I still have redirects..

Fixwareout would not run; it claimed the platform was unsupported (VISTA HOME PREMIUM)

Malware bytes found nothing malicous:

------------Log file starts:------------
Malwarebytes' Anti-Malware 1.14
Database version: 829

19:11:12 05/06/2008
mbam-log-6-5-2008 (19-11-12).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 309572
Time elapsed: 1 hour(s), 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
---------EOF---------------

combofix returned no log when run with the CFScript.txt I re ran combofix after my machine had rebooted from it being run with the script file, I re ran it without to obtain alog, I fear I forgot to turn off spybot at that time...

---------------Log file:------------------
ComboFix 08-06-01.6 - Dominic Bray 2008-06-05 19:19:41.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1219 [GMT -4:00]
Running from: C:\Users\Dominic Bray\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 23:23 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Skype
2008-06-05 22:02 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Malwarebytes
2008-06-05 22:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 22:02 --------- d-----w C:\PROGRA~2\Malwarebytes
2008-06-05 21:38 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\skypePM
2008-06-02 23:47 28,000 ----a-w C:\Users\Dominic Bray\AppData\Roaming\nvModes.dat
2008-06-01 12:12 --------- d-----w C:\Program Files\Browser Hijack Recover
2008-06-01 02:46 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 02:45 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Yahoo!
2008-06-01 02:45 --------- d-----w C:\PROGRA~2\Yahoo!
2008-06-01 02:44 --------- d-----w C:\Program Files\SpywareGuard
2008-06-01 02:36 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy
2008-06-01 02:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-01 02:13 --------- d-----w C:\Program Files\Uniblue
2008-06-01 01:51 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-30 05:06 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-05-30 05:06 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-05-15 08:28 --------- d-----w C:\Program Files\FreeCodec
2008-05-14 13:00 --------- d-----w C:\Program Files\Windows Mail
2008-05-14 13:00 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-05-12 22:39 --------- d-----w C:\Program Files\Java
2008-04-24 09:59 --------- d-----w C:\Program Files\Apple Software Update
2008-04-16 18:25 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2008-04-14 08:06 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\ZoomBrowser EX
2008-04-14 08:05 --------- d-----w C:\PROGRA~2\ZoomBrowser
2008-03-22 14:22 691,545 ----a-w C:\Windows\unins001.exe
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-03-05 20:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-01-11 09:16 27,525 ----a-w C:\Users\Tiffany\AppData\Roaming\nvModes.dat
2007-08-30 15:20 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot.TakeThisOut@2008-06-02_19.42.14.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-02 22:56:13 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-05 23:14:40 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-02 22:56:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-05 23:14:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-02 22:56:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-05 23:14:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-02 22:57:40 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-05 23:16:04 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-02 22:57:40 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-05 23:16:04 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-06-02 16:44:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-05 21:09:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-02 16:44:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 21:09:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-02 16:44:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-05 21:09:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-04 21:56:32 2,456 ----a-w C:\Windows\System32\networklist\icons\{45522FA8-696C-42C1-81FE-3040F0ECDEC0}_24.bin
+ 2008-06-04 21:56:32 4,280 ----a-w C:\Windows\System32\networklist\icons\{45522FA8-696C-42C1-81FE-3040F0ECDEC0}_32.bin
+ 2008-06-04 21:56:32 9,560 ----a-w C:\Windows\System32\networklist\icons\{45522FA8-696C-42C1-81FE-3040F0ECDEC0}_48.bin
- 2008-06-02 22:59:39 12,038 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3284383407-3912586842-369745289-1000_UserData.bin
+ 2008-06-05 23:18:03 12,206 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3284383407-3912586842-369745289-1000_UserData.bin
- 2008-06-02 22:59:39 71,238 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 23:18:03 71,286 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-02 22:47:49 35,110 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 11:27:29 35,198 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Startup Manager"="C:\Users\Dominic Bray\AppData\Roaming\Systweak\ASO 2\smstartUp manager.exe" [ ]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 01:14 833072]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 16:44 178712]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-28 10:48 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-28 10:55 81920]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 23:34 634880]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 13:50 4390912 C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 21:11 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 14:38 159744]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-28 10:58 86016]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 16:18 472776]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-09-19 18:30 66816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CognizanceTS"="C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 14:12 17920]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 19:12 317128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
--a------ 2007-03-20 18:23 1773568 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FD8CC398-C3F7-41BE-98A5-C6A62BB10958}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{13C9E86B-54AE-4A87-A2EF-44ED2B50EF5F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{220513BC-B2BE-4FA0-BAC9-60F5F7F74726}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{5A90CF99-4F43-41A7-BD63-833D156B1E88}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{95383F02-9BF8-4FFB-9917-671A202B8E80}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CD4068D7-B5D6-4E40-BF0F-A5E33A97304B}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{94F144FD-51FF-47FC-9888-47B9EB6EBB2C}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D4E92348-BAF7-45C0-8F15-C60F4331067A}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F03EBEA6-16B0-45AC-BFB6-B06BA544D646}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{463360B5-9168-4A8C-99C2-D408F72A831A}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D564992B-5CA3-4CFE-89DE-F51A05383AA1}"= UDP:C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:Sid Meier's Railroads!
"{44E83821-173E-4349-87AF-789E3CEEF7B0}"= TCP:C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:Sid Meier's Railroads!
"{D69BE963-543F-4842-ACA1-3ADD37937BE6}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{943D345A-DDD2-4608-A522-89DB7DE7456C}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E0B96FE8-16AA-448D-B25A-6EAB65C651E3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{7D1CD1B9-94A9-4A2B-8098-BFB83748D6E3}"= UDP:C:\Program Files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{DCE2976C-173C-4A22-AD67-ED1B57A658B1}"= TCP:C:\Program Files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"TCP Query User{F153CD47-A2F5-4CC3-AA91-482B08DA73FA}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{CF2C1141-834C-4036-9EC9-F052A1BBDBFB}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{79C751E4-E1CB-4897-860B-F405E576AEA4}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{0BABAE05-D130-4304-AD15-7B7869A8F7D4}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{52169A6C-7525-4357-946B-93B90A54953F}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5CA65638-723C-4A78-864C-333C28B79467}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1862F230-11F0-492F-AD3B-3B57C53C6CBE}"= UDP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{3EFF0819-957F-4CDC-8A55-2E7A647A54DB}"= TCP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{3DA81763-FF80-46C1-9A66-8C6D1D8D902C}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D5FCCFCF-9F0D-4D5B-AFB8-4EA2383874FE}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D2259ED0-5E0A-4B97-8EF4-C18BCD39D042}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{80659C04-5504-43AD-83F8-2FAB71225C55}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{40126194-9F71-4254-A3FE-F799B7446AD3}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{C4707A27-888B-43A5-8F2A-935C2E589151}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{E0C2ECBA-811F-42CB-96B8-D7218E49BBF8}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{28A6D1A8-CEE3-46C8-AB0E-FB9F6366073A}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{F2340717-D365-461C-9B04-2A90A4D42A60}D:\\program files\\defcon\\defcon.exe"= UDP:D:\program files\defcon\defcon.exe:Defcon
"UDP Query User{D7B0C48C-EC1C-460B-95A2-C28BE192BD80}D:\\program files\\defcon\\defcon.exe"= TCP:D:\program files\defcon\defcon.exe:Defcon
"TCP Query User{603D0C20-4068-4FB0-BB0D-492FB16A42F4}D:\\program files\\defcon\\defcon.exe"= UDP:D:\program files\defcon\defcon.exe:Defcon
"UDP Query User{618DC0E1-0469-4275-993C-3882198618EF}D:\\program files\\defcon\\defcon.exe"= TCP:D:\program files\defcon\defcon.exe:Defcon
"{DC07D727-0911-4A80-A530-02843E182319}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{AD3276C4-5A26-4AF4-9D1F-BD735216A01A}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"TCP Query User{B93DE00F-44D7-4B30-8017-37E54A60F30B}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{893BBCD1-AF16-4314-8A43-60B19185FBF6}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{25C89A67-3248-446B-B746-62066170CD80}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{73D9848B-CF7D-4C53-8E3F-5037C902DFDE}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{AFD09D1D-B715-411B-A3B0-5D5CD4577EA9}"= UDP:D:\Program Files\Time of Defiance (2006)\Time of Defiance.exe:Run Time of Defiance
"{CC6D8ED8-A93D-41B6-B95F-D8F7024B66A8}"= TCP:D:\Program Files\Time of Defiance (2006)\Time of Defiance.exe:Run Time of Defiance
"{0C4AB8DD-F10A-43B5-B95C-E831DFB3701A}"= UDP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCEUpdateClient.exe:NiCEUpdateClient.exe
"{43A8482B-056C-45F4-9572-0057D4DCF119}"= TCP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCEUpdateClient.exe:NiCEUpdateClient.exe
"{1DF76749-A93B-4397-B837-E075FE9CD46E}"= UDP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCELauncher.exe:NiCELauncher.exe
"{0A6CF7EA-1913-476D-ACEB-DAE9F9860668}"= TCP:D:\Program Files\Time of Defiance (2006)\Launcher\NiCELauncher.exe:NiCELauncher.exe
"TCP Query User{6D3C8158-D4AF-4146-9E33-4AF0E07F9E1E}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= UDP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"UDP Query User{C38CFE04-51F1-4C34-BDF6-D3DA749832A9}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= TCP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"TCP Query User{092CFB1E-2040-4DA9-B79D-CC445B72E2B9}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= UDP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"UDP Query User{1F7A87CC-CA9D-46AB-8B46-AEA2AB0AA7D4}D:\\program files\\time of defiance (2006)\\aliceclient.exe"= TCP:D:\program files\time of defiance (2006)\aliceclient.exe:AliceClientAR
"{84886F14-0DFF-4ED6-92E7-5C18073AD027}"= UDP:C:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"{B202A427-82B3-43E4-9C9A-964D52C1EF1B}"= TCP:C:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"TCP Query User{6361CEB8-55A1-4604-BF5B-E68A0C16E1ED}C:\\program files\\firefly studios\\stronghold 2\\stronghold2.exe"= UDP:C:\program files\firefly studios\stronghold 2\stronghold2.exe:Stronghold 2
"UDP Query User{6E667EA1-A8EB-4CD3-A745-DC83BFBCAB5C}C:\\program files\\firefly studios\\stronghold 2\\stronghold2.exe"= TCP:C:\program files\firefly studios\stronghold 2\stronghold2.exe:Stronghold 2
"{1C0CD43D-2277-4B71-B8BE-3A06D2886E73}"= UDP:6667:strongholdtcp1
"{9B9667C0-180E-4D12-B79C-888E650C15A6}"= UDP:28910:strongholdtcp2
"{55E5A07A-0355-45FC-9DAA-1676424A1E7C}"= TCP:19966:strongholdudp
"{D12E08A7-B4AA-41A8-B89D-6B7CB018C0A7}"= TCP:13139:stongholdudp2
"{DCB16D7E-69E2-4D23-946C-B72355F6B250}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5FE2B4A1-DC14-4EDC-8B39-B12FB984B07D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{E3CBB4A4-0063-439C-B6FB-748A14528CAF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7ADCED3D-5EE8-49CA-8D3B-538FD4A1A3B7}"= UDP:D:\Program Files\Pollux Gamelabs\Lost Empire - Immortals\LostEmpire.exe:Lost Empire - Immortals
"{93C76CB9-8C04-40D6-89DA-D32AB5B09138}"= TCP:D:\Program Files\Pollux Gamelabs\Lost Empire - Immortals\LostEmpire.exe:Lost Empire - Immortals
"{27098C1E-0591-4265-A9B0-135BFEE41034}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1B473951-6BFE-4FFF-982A-4ABBAE93E7F8}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2006-11-02 05:45]
R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2006-11-02 05:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 Windows Tribute Service;Windows Tribute Service;C:\Windows\system32\kdetx.exe [2007-11-15 03:51]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 03:30]
S3 hcw85bda;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2006-12-01 18:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{065802b6-5095-11dc-940e-806e6f6e6963}]
\shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32225249-c62d-11dc-ada8-001b24637f40}]
\shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63a970b7-a26b-11dc-ae27-001b24637f40}]
\shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-21 15:28:04 C:\Windows\Tasks\HPCeeScheduleForDominic Bray.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe$HPCeeScheduleForDominic Bray (null)
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 19:23:32
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Windows\system32\kdetx.exe 63488 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-06-05 19:25:08
ComboFix-quarantined-files.txt 2008-06-05 23:24:51
ComboFix2.txt 2008-06-02 23:42:32

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

253 --- E O F --- 2008-06-04 11:38:39
--------------EOF--------------------------------

Any Ideas? i'm really puzzled and frustrated...

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

Disable Spybot's TeaTimer feature completely by going into Spybot and go to Mode->Advanced and click Yes. Then on the left, click on Tools->Resident and uncheck Resident TeaTimer.

Please redo the CFScript step again.

DomBray · Joined: Jun 01, 2008 Posts: 12

Ok teatimer is gone...

I've redone the CFScript.txt stage again, twice more, once with my virus protection running, and once with the netwrok connection disabled and then virus protection off.

It did not make a log either time, at the point were it says it is about to scan my machine, (before it starts to list the stages) the screen blacks out and the os restarts. I logon but nothing happens, combofix doesn't restart and starting it manually doesn't pick up part way through.

I shall run a normal combofix and post that, maybe the kdetx will be gone... but I could have sworn I did this manually a few days ago..

DomBray · Joined: Jun 01, 2008 Posts: 12

Ok, I found the windows tribute service was stopped but I still couldn't manually delete the Kdetx.exe. I tried to change the service to disabled rather than auto start, and the OS complained that it isn't aproperly installed service and couldn't query it's status... It is not showign as disabled in the manager, but when i open the properties it is.

I have launched msconfig and turned off the windows tribute service there too, so i'll now restart and see if i can delete the kdetc.exe file

DomBray · Joined: Jun 01, 2008 Posts: 12

Nope I still can't manually delete it, and I guess if i did rerun combofix without that script it would return a log that showed it. I guess combofix isn't killing the service like we want it too..

Is there a start up I could do, like old safe mode to a command prompt that wouldn't load all the services?

DomBray · Joined: Jun 01, 2008 Posts: 12

OK, so here we go..

I went through the registry and tore out all references to Kdetc.exe. I exported the entries first and have them saved in three files as there were three references. I restarted and found I could delete the file, sadly I emptied my recycle bin without thinking and so have no copy of it I could make availble. That really was sumb given how difficult it was to get rid of... maybe I could use some undelete program to get hold of it again if you wanted it?

I certainly have exported version of the reg entries I removed though.

My google search results appear to be normal at the moment.

I rerun combofix to get you a log report to see what you think, run without teatimer or virus protection switched on:

Thanks again for your help so far, I know rushing into the registry with a hatchect wasn't the most carefully thought out idea, but it seems to have worked...

ComboFix 08-06-01.6 - Dominic Bray 2008-06-07 18:08:12.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1242 [GMT -4:00]
Running from: C:\Users\Dominic Bray\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 22:07 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Skype
2008-06-07 20:30 28,000 ----a-w C:\Users\Dominic Bray\AppData\Roaming\nvModes.dat
2008-06-07 20:07 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\skypePM
2008-06-07 00:25 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\teamspeak2
2008-06-07 00:25 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-06-05 22:02 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Malwarebytes
2008-06-05 22:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 22:02 --------- d-----w C:\PROGRA~2\Malwarebytes
2008-06-01 12:12 --------- d-----w C:\Program Files\Browser Hijack Recover
2008-06-01 02:46 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 02:45 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\Yahoo!
2008-06-01 02:45 --------- d-----w C:\PROGRA~2\Yahoo!
2008-06-01 02:44 --------- d-----w C:\Program Files\SpywareGuard
2008-06-01 02:36 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy
2008-06-01 02:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-01 02:13 --------- d-----w C:\Program Files\Uniblue
2008-06-01 01:51 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-30 05:06 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-05-30 05:06 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-05-15 08:28 --------- d-----w C:\Program Files\FreeCodec
2008-05-14 13:00 --------- d-----w C:\Program Files\Windows Mail
2008-05-14 13:00 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-05-12 22:39 --------- d-----w C:\Program Files\Java
2008-04-24 09:59 --------- d-----w C:\Program Files\Apple Software Update
2008-04-16 18:25 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2008-04-14 08:06 --------- d-----w C:\Users\Dominic Bray\AppData\Roaming\ZoomBrowser EX
2008-04-14 08:05 --------- d-----w C:\PROGRA~2\ZoomBrowser
2008-03-22 14:22 691,545 ----a-w C:\Windows\unins001.exe
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-01-11 09:16 27,525 ----a-w C:\Users\Tiffany\AppData\Roaming\nvModes.dat
2007-08-30 15:20 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot.DeleteThis@2008-06-02_19.42.14.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-02 22:56:13 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-07 22:03:16 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-02 22:56:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-07 22:03:17 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-02 22:56:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-07 22:03:17 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-02 22:57:40 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-07 22:04:39 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-02 22:57:40 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-07 22:04:39 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-06-02 16:44:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-07 16:24:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-02 16:44:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-07 16:24:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-02 16:44:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-07 16:24:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-04 21:56:32 2,456 ----a-w C:\Windows\System32\networklist\icons\{45522FA8-696C-42C1-81FE-3040F0ECDEC0}_24.bin
+ 2008-06-04 21:56:32 4,280 ----a-w C:\Windows\System32\networklist\icons\{45522FA8-696C-42C1-81FE-3040F0ECDEC0}_32.bin
+ 2008-06-04 21:56:32 9,560 ----a-w C:\Windows\System32\networklist\icons\{45522FA8-696C-42C1-81FE-3040F0ECDEC0}_48.bin
- 2008-06-02 22:59:39 12,038 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3284383407-3912586842-369745289-1000_UserData.bin
+ 2008-06-07 22:06:40 12,290 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3284383407-3912586842-369745289-1000_UserData.bin
- 2008-06-02 22:59:39 71,238 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-07 22:06:40 71,302 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-02 22:47:49 35,110 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-07 22:06:39 35,490 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Startup Manager"="C:\Users\Dominic Bray\AppData\Roaming\Systweak\ASO 2\smstartUp manager.exe" [ ]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 01:14 833072]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 16:44 178712]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-28 10:48 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-28 10:55 81920]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 23:34 634880]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.