Solve : Computer possibly compromised?

1.	Solve : Computer possibly compromised?
Answer» Seems my COMPUTER, as well as a few other computers of people at an office I do work at, have been compromised. There has been access to my Gmail account from China (according to a message to me from Gmail) in the past few days, my Warcraft account has been hacked, and two other people I know at this office have had their Hotmail accounts accessed and used to spam people in their contacts in the last two days. I did a full scan of all of my computers with Kaspersky Internet Security 2010 (which is always running on them anyway and automatically updates daily) and came up with nothing. If one of you fine fellows could have a look at my other logs and see if you see anything suspicious, I would much appreciate it. SAS found 6 tracking cookies. I was familiar with where all came from. Code: [Select]SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 04/24/2010 at 10:40 AM Application Version : 4.35.1002 Core Rules Database Version : 4846 Trace Rules Database Version: 2658 Scan type : Quick Scan Total Scan Time : 01:47:07 Memory items scanned : 634 Memory threats detected : 0 Registry items scanned : 525 Registry threats detected : 0 File items scanned : 93216 File threats detected : 6 Adware.Tracking Cookie C:\Users\Noah\AppData\Roaming\Microsoft\WINDOWS\Cookies\[emailprotected][2].txt C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt MBAM Log Code: [Select]Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4029 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18904 4/24/2010 11:48:38 AM mbam-log-2010-04-24 (11-48-38).txt Scan type: Quick scan Objects scanned: 112204 Time elapsed: 10 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HJT Log Code: [Select]Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:12:43 AM, on 4/24/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18904) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\HP\HP Software Update\hpwuschd2.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe C:\Windows\System32\mobsync.exe C:\World of Warcraft\Launcher.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe C:\Windows\system32\NOTEPAD.EXE C:\Users\Noah\Downloads\stealth.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0" O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [avp] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll O20 - AppInit_DLLs: acaptuser32.dll,C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit (mi-raysat_3dsmax2010_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- End of file - 12196 bytes Please download ComboFix from BleepingComputer.com Alternate link: GeeksToGo.com *Rename ComboFix.exe to combo-fix.exe* before you save it to your Desktop Disable your ANTIVIRUS and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\combo-fix.exe" /stepdel As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install. When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt** in your next reply. Ok, here's that log: Code: [Select]ComboFix 10-04-21.01 - Noah 04/25/2010 8:09.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1548 [GMT 7:00] Running from: c:\users\Noah\Desktop\combo-fix.exe Command switches used :: /stepdel SP: SUPERAntiSpyware disabled (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500 c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500 c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500\desktop.ini c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500\desktop.ini c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk c:\windows\system32\KBL.LOG . ((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 ))))))))))))))))))))))))))))))) . 2010-04-25 01:23 . 2010-04-25 01:23 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-04-24 04:32 . 2010-04-24 04:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Malwarebytes 2010-04-24 04:32 . 2010-03-29 17:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-24 04:31 . 2010-04-24 04:31 -------- d-----w- c:\programdata\Malwarebytes 2010-04-24 04:31 . 2010-04-24 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-24 04:31 . 2010-03-29 17:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-24 01:29 . 2010-04-24 01:29 52224 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-04-24 01:29 . 2010-04-24 01:29 117760 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-04-24 01:28 . 2010-04-24 01:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com 2010-04-16 05:32 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2010-04-16 05:32 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-04-16 05:32 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys 2010-04-16 05:32 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-04-16 05:32 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-04-16 05:31 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-04-16 05:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll 2010-04-16 05:28 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll 2010-04-16 05:28 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys 2010-04-16 05:28 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-16 05:27 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll 2010-04-10 03:06 . 2010-04-10 03:06 -------- d-----w- c:\windows\system32\Adobe 2010-04-05 04:01 . 2010-04-05 04:01 -------- d-----w- c:\program files\MagicISO 2010-04-05 02:14 . 2010-04-05 02:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2010-03-29 09:09 . 2010-04-02 01:31 -------- d-----w- c:\users\Noah\AppData\Roaming\skypePM 2010-03-29 09:04 . 2010-04-02 01:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Skype 2010-03-29 09:02 . 2010-04-02 01:39 -------- d-----w- c:\programdata\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-24 05:39 . 2009-10-30 01:46 111336 ----a-w- c:\programdata\nvModes.dat 2010-04-24 01:26 . 2009-11-06 01:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-04-23 03:46 . 2009-11-23 02:14 -------- d-----w- c:\users\Noah\AppData\Roaming\Free Download Manager 2010-04-23 03:46 . 2009-10-16 02:06 -------- d-----w- c:\programdata\Kaspersky Lab 2010-04-18 06:15 . 2009-11-29 05:12 -------- d-----w- c:\users\Noah\AppData\Roaming\vlc 2010-04-18 04:52 . 2010-02-22 05:05 -------- d-----w- c:\users\Noah\AppData\Roaming\dvdcss 2010-04-17 05:26 . 2008-03-07 18:15 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-16 05:33 . 2008-03-07 18:56 -------- d-----w- c:\programdata\Microsoft Help 2010-04-16 02:37 . 2009-12-06 03:24 -------- d-----w- c:\program files\Google 2010-04-05 04:03 . 2009-10-16 03:20 -------- d-----w- c:\users\Noah\AppData\Roaming\uTorrent 2010-04-02 09:27 . 2008-07-19 08:52 12 ----a-w- c:\windows\bthservsdp.dat 2010-04-02 01:36 . 2008-03-07 20:04 -------- d-----w- c:\program files\Java 2010-03-29 09:09 . 2010-03-29 09:09 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-03-29 01:14 . 2009-12-19 09:31 680 ----a-w- c:\users\Noah\AppData\Local\d3d9caps.dat 2010-03-21 02:49 . 2010-03-21 02:49 -------- d-----w- c:\program files\IObit 2010-03-09 06:45 . 2008-07-19 09:15 -------- d-----w- c:\programdata\WildTangent 2010-03-09 06:38 . 2009-11-06 01:57 -------- d-----w- c:\programdata\Media Center Programs 2010-03-08 21:28 . 2010-01-21 04:36 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-02-24 03:16 . 2009-10-16 02:21 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-23 06:39 . 2010-04-02 01:52 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-23 06:33 . 2010-04-02 01:52 71680 ----a-w- c:\windows\system32\iesetup.dll 2010-02-23 06:33 . 2010-04-02 01:52 109056 ----a-w- c:\windows\system32\iesysprep.dll 2010-02-23 04:55 . 2010-04-02 01:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2010-02-20 23:06 . 2010-03-11 05:42 24064 ----a-w- c:\windows\system32\nshhttp.dll 2010-02-20 23:05 . 2010-03-11 05:42 30720 ----a-w- c:\windows\system32\httpapi.dll 2010-02-20 20:53 . 2010-03-11 05:42 411648 ----a-w- c:\windows\system32\drivers\http.sys 2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr 2009-02-27 18:47 . 2009-10-16 16:47 22 --sha-w- c:\windows\SMINST\HPCD.SYS 2009-11-13 05:37 . 2009-10-16 02:06 4634144 --sha-w- c:\windows\System32\drivers\fidbox.dat 2009-11-13 05:37 . 2009-10-16 02:06 745504 --sha-w- c:\windows\System32\drivers\fidbox2.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note EMPTY entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968] "Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-05-05 1466368] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032] "OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320] "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560] "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13556256] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-03 92704] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376] "avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-19 113664] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\acaptuser32.dll c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):84,96,33,27,0a,59,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2299539283-4137082352-299996081-1003] "EnableNotificationsRef"=dword:00000002 R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 135664] R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-03-12 86016] S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872] --- Other Services/Drivers In Memory --- NewlyCreated - SASDIFSV NewlyCreated - SASENUM NewlyCreated - SASKUTIL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-08-23 10:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder 2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50] 2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop uDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm FF - ProfilePath - c:\users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\fse4u3p0.default\ FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll FF - component: c:\program files\Mozilla Blocked Russian URL\components\KavLinkFilter.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-25 08:24 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... [0] 0x00690076 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2299539283-4137082352-299996081-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY] "??"=hex:d3,d7,d0,6b,8f,10,99,81,a3,c1,dc,28,51,33,8b,9f,30,0c,dc,ec,67,e6,06, 3e,e4,68,13,d9,39,fc,72,13,74,f2,09,b1,bf,5f,23,0a,ec,98,3c,8d,70,cd,2b,ce,\ "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2010-04-25 08:30:03 ComboFix-quarantined-files.txt 2010-04-25 01:29 Pre-Run: 44,393,619,456 bytes free Post-Run: 48,444,194,816 bytes free Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,17 - - End Of File - - 9154B4621CA13F235466BA7EFDF10DBA Sorry for the delay. I didn't take this laptop home with me last night. After we're done clearing this one, I'll post logs for my desktop at home to make sure it's clean as well.GMER Note about this tool:* This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes. This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know. No matter what is in the log, please post all the information/contents of the log. Please download the GMER Rootkit Scanner. Unzip it to your Desktop. Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. Double-click gmer.exe. The program will begin to run. Caution These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised! If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click NO In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked. Now click the Scan button. Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt" Save it where you can easily find it, such as your desktop. Post the contents of GMER.txt in your next reply.It's not finished scanning and it's already pages long. Should I just attach the txt file when it finishes?Complete gmer log. [recovering disk space - old attachment deleted by admin]Please download RootRepeal from GooglePages.com. Extract the program file to your Desktop. Run the program RootRepeal.exe. Click Settings > Options. Drag the slider to High Level. Then, click the Red X. Go to the Report tab and click on the Scan button. Select ALL of the checkboxes and then click OK and it will start scanning your system. If you have multiple drives you only need to check the C: drive or the one Windows is installed on. When done, click on Save Report Save it to the Desktop. Please copy/paste the contents of the report in your next reply. Please remove any e-mail address in the RootRepeal report (if present). I've got it running now, but I'll be leaving the shop here in about 20 minutes to head back home and I'll continue it then if it doesn't finish before I leave.RootRepeal gave an error, then closed. The error window was empty. After clicking the X close button, a second smaller but equally empty window popped up, then RootRepeal closed. [recovering disk space - old attachment deleted by admin]Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: Code: [Select]:filefind scecli.dll netlogon.dll eventlog.dll winlogon.exe comres.dll crypt32.dll gpedit.dll rundll32.exe sfc.dll svchost.exe cngaudit.dll beep.sys wscntfy.exe atapi.sys bthport.sys Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txtCode: [Select]SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 09:29 on 26/04/2010 by Noah (Administrator - Elevation successful) ========== filefind ========== Searching for "scecli.dll" C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 177152 bytes [01:27 25/04/2010] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1 C:\WINDOWS\System32\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1 C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [02:24 21/01/2008] [02:24 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9 C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1 Searching for "netlogon.dll" C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 592896 bytes [01:27 25/04/2010] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE C:\WINDOWS\System32\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [02:24 21/01/2008] [02:24 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE Searching for "eventlog.dll" C:\Program Files\CyberLink\PowerDirector\EventLog.dll --a--- 7216 bytes [06:30 13/01/2007] [06:30 13/01/2007] C2A279A458A06DE2C83D842AA042B5A8 Searching for "winlogon.exe" C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 314368 bytes [01:27 25/04/2010] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452 C:\WINDOWS\System32\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452 C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a--- 314880 bytes [02:24 21/01/2008] [02:24 21/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24 C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452 Searching for "comres.dll" C:\WINDOWS\System32\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD C:\WINDOWS\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD Searching for "crypt32.dll" C:\WINDOWS\System32\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\crypt32.dll --a--- 977408 bytes [02:24 21/01/2008] [02:24 21/01/2008] D4D86075510C02F887528207D8E0D713 C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6002.18005_none_5d5b3ae7daf59226\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C Searching for "gpedit.dll" C:\WINDOWS\System32\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45 C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_ce322c9564e76885\gpedit.dll --a--- 936960 bytes [02:24 21/01/2008] [02:24 21/01/2008] E3DDEB38C6303086F79C6B7E83C372C8 C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6002.18005_none_d01da5a1620933d1\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45 Searching for "rundll32.exe" C:\WINDOWS\System32\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A C:\WINDOWS\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_d5ce8f93adff8210\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A Searching for "sfc.dll" C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 4608 bytes [01:27 25/04/2010] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8 C:\WINDOWS\System32\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8 C:\WINDOWS\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_a735c34c5c31a578\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8 Searching for "svchost.exe" C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 21504 bytes [01:27 25/04/2010] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF C:\WINDOWS\System32\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF C:\WINDOWS\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF Searching for "cngaudit.dll" C:\WINDOWS\ERDNT\cache\cngaudit.dll --a--- 11776 bytes [01:27 25/04/2010] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D C:\WINDOWS\System32\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D Searching for "beep.sys" C:\WINDOWS\ERDNT\cache\beep.sys --a--- 6144 bytes [01:27 25/04/2010] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6 C:\WINDOWS\System32\drivers\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6 C:\WINDOWS\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6 Searching for "wscntfy.exe" No files found. Searching for "atapi.sys" C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 19944 bytes [01:27 25/04/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9 C:\WINDOWS\System32\drivers\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9 C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 Searching for "bthport.sys" C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_00899617\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_03301a54\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410 C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_c206c850\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_cf39a24e\bthport.sys --a--- 220160 bytes [10:25 02/11/2006] [08:55 02/11/2006] 4A74BBB2B6761789F42A6613479BDB1D C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_f5996c35\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B C:\WINDOWS\System32\drivers\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.16682_none_700a06c9bea9b8da\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.20824_none_70d68596d794e0d3\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:35 29/04/2008] 57DFAC97330E986F845B16B29314D21F C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18000_none_7244c43bbb913795\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18064_none_7207e5dbbbbe4497\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410 C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.22168_none_729583ced4d849bd\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:43 29/04/2008] 9F299C5274672900591E7C616D725F56 C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6002.18005_none_74303d47b8b302e1\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB -=End Of File=-Please run a free online scan with the ESET Online Scanner Tick the box next to YES, I accept the Terms of Use Click Start When asked, allow the ActiveX control to install Click Start Make sure that the options Remove found threats and the option Scan unwanted applications is checked Click Scan (This scan can take several hours, so please be patient) Once the scan is completed, you may close the window Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic I've managed to download the installer, but so far the installer hasn't been able to download the rest of the program. The internet at my current location isn't that great so I'll have to try this in about 3-4 hours when I get home.okFinally got this to download and scan. Didn't detect anything. Code: [Select][emailprotected] as downloader log: Can not read file from [emailprotected] as downloader log: Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:The operation completed successfully. [emailprotected] as downloader log: Can not read file from [emailprotected] as downloader log: Can not read file from internet.Can not read file from [emailprotected] as downloader log: Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:Cannot create a file when that file already exists. ESETSmartInsta[emailprotected] as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=04ab12bcc15cd643b9d6b91d41a57cdf # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-04-27 04:31:58 # local_time=2010-04-27 11:31:58 (+0700, SE Asia Standard Time) # country="United States" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=1280 16777215 100 0 13405978 13405978 0 0 # compatibility_mode=5892 16776573 100 100 0 109860867 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=193020 # found=0 # cleaned=0 # scan_time=10979

Answer»

Seems my COMPUTER, as well as a few other computers of people at an office I do work at, have been compromised. There has been access to my Gmail account from China (according to a message to me from Gmail) in the past few days, my Warcraft account has been hacked, and two other people I know at this office have had their Hotmail accounts accessed and used to spam people in their contacts in the last two days.

I did a full scan of all of my computers with Kaspersky Internet Security 2010 (which is always running on them anyway and automatically updates daily) and came up with nothing.

If one of you fine fellows could have a look at my other logs and see if you see anything suspicious, I would much appreciate it.

SAS found 6 tracking cookies. I was familiar with where all came from.
Code: [Select]SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/24/2010 at 10:40 AM

Application Version : 4.35.1002

Core Rules Database Version : 4846
Trace Rules Database Version: 2658

Scan type : Quick Scan
Total Scan Time : 01:47:07

Memory items scanned : 634
Memory threats detected : 0
Registry items scanned : 525
Registry threats detected : 0
File items scanned : 93216
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Noah\AppData\Roaming\Microsoft\WINDOWS\Cookies\[emailprotected][2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[emailprotected][1].txt
MBAM Log
Code: [Select]Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4029

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/24/2010 11:48:38 AM
mbam-log-2010-04-24 (11-48-38).txt

Scan type: Quick scan
Objects scanned: 112204
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT Log
Code: [Select]Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:12:43 AM, on 4/24/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\System32\mobsync.exe
C:\World of Warcraft\Launcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Noah\Downloads\stealth.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [avp] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O20 - AppInit_DLLs: acaptuser32.dll,C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit (mi-raysat_3dsmax2010_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 12196 bytes
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop

Disable your ANTIVIRUS and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\combo-fix.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Ok, here's that log:
Code: [Select]ComboFix 10-04-21.01 - Noah 04/25/2010 8:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1548 [GMT 7:00]
Running from: c:\users\Noah\Desktop\combo-fix.exe
Command switches used :: /stepdel
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500
c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500
c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500\desktop.ini
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-25 01:23 . 2010-04-25 01:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-24 04:32 . 2010-04-24 04:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Malwarebytes
2010-04-24 04:32 . 2010-03-29 17:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 04:31 . 2010-04-24 04:31 -------- d-----w- c:\programdata\Malwarebytes
2010-04-24 04:31 . 2010-04-24 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 04:31 . 2010-03-29 17:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 01:29 . 2010-04-24 01:29 52224 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-24 01:29 . 2010-04-24 01:29 117760 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-24 01:28 . 2010-04-24 01:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com
2010-04-16 05:32 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 05:32 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 05:32 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 05:32 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-16 05:32 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 05:31 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 05:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-16 05:28 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 05:28 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 05:28 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 05:27 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-10 03:06 . 2010-04-10 03:06 -------- d-----w- c:\windows\system32\Adobe
2010-04-05 04:01 . 2010-04-05 04:01 -------- d-----w- c:\program files\MagicISO
2010-04-05 02:14 . 2010-04-05 02:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-29 09:09 . 2010-04-02 01:31 -------- d-----w- c:\users\Noah\AppData\Roaming\skypePM
2010-03-29 09:04 . 2010-04-02 01:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Skype
2010-03-29 09:02 . 2010-04-02 01:39 -------- d-----w- c:\programdata\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 05:39 . 2009-10-30 01:46 111336 ----a-w- c:\programdata\nvModes.dat
2010-04-24 01:26 . 2009-11-06 01:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 03:46 . 2009-11-23 02:14 -------- d-----w- c:\users\Noah\AppData\Roaming\Free Download Manager
2010-04-23 03:46 . 2009-10-16 02:06 -------- d-----w- c:\programdata\Kaspersky Lab
2010-04-18 06:15 . 2009-11-29 05:12 -------- d-----w- c:\users\Noah\AppData\Roaming\vlc
2010-04-18 04:52 . 2010-02-22 05:05 -------- d-----w- c:\users\Noah\AppData\Roaming\dvdcss
2010-04-17 05:26 . 2008-03-07 18:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 05:33 . 2008-03-07 18:56 -------- d-----w- c:\programdata\Microsoft Help
2010-04-16 02:37 . 2009-12-06 03:24 -------- d-----w- c:\program files\Google
2010-04-05 04:03 . 2009-10-16 03:20 -------- d-----w- c:\users\Noah\AppData\Roaming\uTorrent
2010-04-02 09:27 . 2008-07-19 08:52 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-02 01:36 . 2008-03-07 20:04 -------- d-----w- c:\program files\Java
2010-03-29 09:09 . 2010-03-29 09:09 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-03-29 01:14 . 2009-12-19 09:31 680 ----a-w- c:\users\Noah\AppData\Local\d3d9caps.dat
2010-03-21 02:49 . 2010-03-21 02:49 -------- d-----w- c:\program files\IObit
2010-03-09 06:45 . 2008-07-19 09:15 -------- d-----w- c:\programdata\WildTangent
2010-03-09 06:38 . 2009-11-06 01:57 -------- d-----w- c:\programdata\Media Center Programs
2010-03-08 21:28 . 2010-01-21 04:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 03:16 . 2009-10-16 02:21 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-02 01:52 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-02 01:52 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-02 01:52 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-02 01:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 05:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 05:42 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 05:42 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-02-27 18:47 . 2009-10-16 16:47 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2009-11-13 05:37 . 2009-10-16 02:06 4634144 --sha-w- c:\windows\System32\drivers\fidbox.dat
2009-11-13 05:37 . 2009-10-16 02:06 745504 --sha-w- c:\windows\System32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* EMPTY entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-05-05 1466368]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-03 92704]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-19 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):84,96,33,27,0a,59,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2299539283-4137082352-299996081-1003]
"EnableNotificationsRef"=dword:00000002

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 135664]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-03-12 86016]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
*NewlyCreated* - SASENUM
*NewlyCreated* - SASKUTIL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 10:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\fse4u3p0.default\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Mozilla *Blocked Russian URL*\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 08:24
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

[0] 0x00690076

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2299539283-4137082352-299996081-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d3,d7,d0,6b,8f,10,99,81,a3,c1,dc,28,51,33,8b,9f,30,0c,dc,ec,67,e6,06,
3e,e4,68,13,d9,39,fc,72,13,74,f2,09,b1,bf,5f,23,0a,ec,98,3c,8d,70,cd,2b,ce,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-25 08:30:03
ComboFix-quarantined-files.txt 2010-04-25 01:29

Pre-Run: 44,393,619,456 bytes free
Post-Run: 48,444,194,816 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,17
- - End Of File - - 9154B4621CA13F235466BA7EFDF10DBA
Sorry for the delay. I didn't take this laptop home with me last night. After we're done clearing this one, I'll post logs for my desktop at home to make sure it's clean as well.GMER

Note about this tool:

This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.It's not finished scanning and it's already pages long. Should I just attach the txt file when it finishes?Complete gmer log.

[recovering disk space - old attachment deleted by admin]Please download RootRepeal from GooglePages.com.

Extract the program file to your Desktop.
Run the program RootRepeal.exe.
Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
Go to the Report tab and click on the Scan button.
Select ALL of the checkboxes and then click OK and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on Save Report
Save it to the Desktop.
Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).
I've got it running now, but I'll be leaving the shop here in about 20 minutes to head back home and I'll continue it then if it doesn't finish before I leave.RootRepeal gave an error, then closed. The error window was empty. After clicking the X close button, a second smaller but equally empty window popped up, then RootRepeal closed.

[recovering disk space - old attachment deleted by admin]Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code: [Select]:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys
bthport.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txtCode: [Select]SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:29 on 26/04/2010 by Noah (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 177152 bytes [01:27 25/04/2010] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1
C:\WINDOWS\System32\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1
C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [02:24 21/01/2008] [02:24 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1

Searching for "netlogon.dll"
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 592896 bytes [01:27 25/04/2010] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE
C:\WINDOWS\System32\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE
C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [02:24 21/01/2008] [02:24 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE

Searching for "eventlog.dll"
C:\Program Files\CyberLink\PowerDirector\EventLog.dll --a--- 7216 bytes [06:30 13/01/2007] [06:30 13/01/2007] C2A279A458A06DE2C83D842AA042B5A8

Searching for "winlogon.exe"
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 314368 bytes [01:27 25/04/2010] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452
C:\WINDOWS\System32\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452
C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a--- 314880 bytes [02:24 21/01/2008] [02:24 21/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452

Searching for "comres.dll"
C:\WINDOWS\System32\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD
C:\WINDOWS\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD

Searching for "crypt32.dll"
C:\WINDOWS\System32\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C
C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\crypt32.dll --a--- 977408 bytes [02:24 21/01/2008] [02:24 21/01/2008] D4D86075510C02F887528207D8E0D713
C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6002.18005_none_5d5b3ae7daf59226\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C

Searching for "gpedit.dll"
C:\WINDOWS\System32\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45
C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_ce322c9564e76885\gpedit.dll --a--- 936960 bytes [02:24 21/01/2008] [02:24 21/01/2008] E3DDEB38C6303086F79C6B7E83C372C8
C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6002.18005_none_d01da5a1620933d1\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45

Searching for "rundll32.exe"
C:\WINDOWS\System32\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A
C:\WINDOWS\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_d5ce8f93adff8210\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A

Searching for "sfc.dll"
C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 4608 bytes [01:27 25/04/2010] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\WINDOWS\System32\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\WINDOWS\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_a735c34c5c31a578\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8

Searching for "svchost.exe"
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 21504 bytes [01:27 25/04/2010] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF
C:\WINDOWS\System32\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF
C:\WINDOWS\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF

Searching for "cngaudit.dll"
C:\WINDOWS\ERDNT\cache\cngaudit.dll --a--- 11776 bytes [01:27 25/04/2010] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\WINDOWS\System32\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a--- 6144 bytes [01:27 25/04/2010] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6
C:\WINDOWS\System32\drivers\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6
C:\WINDOWS\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6

Searching for "wscntfy.exe"
No files found.

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 19944 bytes [01:27 25/04/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\WINDOWS\System32\drivers\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

Searching for "bthport.sys"
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_00899617\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_03301a54\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_c206c850\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_cf39a24e\bthport.sys --a--- 220160 bytes [10:25 02/11/2006] [08:55 02/11/2006] 4A74BBB2B6761789F42A6613479BDB1D
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_f5996c35\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B
C:\WINDOWS\System32\drivers\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.16682_none_700a06c9bea9b8da\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.20824_none_70d68596d794e0d3\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:35 29/04/2008] 57DFAC97330E986F845B16B29314D21F
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18000_none_7244c43bbb913795\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18064_none_7207e5dbbbbe4497\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.22168_none_729583ced4d849bd\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:43 29/04/2008] 9F299C5274672900591E7C616D725F56
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6002.18005_none_74303d47b8b302e1\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB

-=End Of File=-Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

I've managed to download the installer, but so far the installer hasn't been able to download the rest of the program. The internet at my current location isn't that great so I'll have to try this in about 3-4 hours when I get home.okFinally got this to download and scan. Didn't detect anything.

Code: [Select][emailprotected] as downloader log:
Can not read file from [emailprotected] as downloader log:
Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:The operation completed successfully.
[emailprotected] as downloader log:
Can not read file from [emailprotected] as downloader log:
Can not read file from internet.Can not read file from [emailprotected] as downloader log:
Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:Cannot create a file when that file already exists.
ESETSmartInsta[emailprotected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=04ab12bcc15cd643b9d6b91d41a57cdf
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-27 04:31:58
# local_time=2010-04-27 11:31:58 (+0700, SE Asia Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1280 16777215 100 0 13405978 13405978 0 0
# compatibility_mode=5892 16776573 100 100 0 109860867 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=193020
# found=0
# cleaned=0
# scan_time=10979

Solve : Computer possibly compromised?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment