"infected by unknown trojan..." [RESOLVED]

Hi shawshank24

welcome to geekstogo

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i an move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk

yeah, the issue is still not resolved. i'll do the other scan right now.

thanks!

main.txt:

Deckard's System Scanner v20071014.68
Run by Hello Matthew! on 2008-03-22 10:47:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
20: 2008-03-22 07:13:43 UTC - RP88 - Scheduled Checkpoint
19: 2008-03-21 08:05:18 UTC - RP87 - Windows Update
18: 2008-03-20 02:29:29 UTC - RP86 - Installed FEAR
17: 2008-03-19 19:30:33 UTC - RP84 - Installed Sid Meier's Pirates!
16: 2008-03-19 02:00:50 UTC - RP82 - Installed DirectX 9.0


-- First Restore Point --
1: 2008-03-18 23:51:20 UTC - RP55 - Installed Tom Clancy's Rainbow Six Vegas


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Hello Matthew!.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:05 AM, on 3/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIBIA.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\taskeng.exe
C:\Users\Hello Matthew!\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hello Matthew!.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.c...Now?lnkctr=mhWN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Player Classic - {CE0487CA-8B02-431E-BA63-D38844E020B5} - C:\Windows\ausctv32a.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\Windows\TEMP\E_S3B1C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6036 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 ENTECH - \??\c:\windows\system32\drivers\entech.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {ff646f80-8def-11d2-9449-00105a075f6b}
Description: pcouffin device ...
Device ID: ROOT\PCOUFFIN\0000
Manufacturer:
Name: pcouffin device ...
PNP Device ID: ROOT\PCOUFFIN\0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-03-21 19:24:31 436 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{0A4B7E45-9D3B-46DE-81CC-3A72A06FFF83}.job


-- Files created between 2008-02-22 and 2008-03-22 -----------------------------

2008-03-20 13:55:13 0 d-------- C:\Users\All Users\LightScribe
2008-03-19 21:17:27 0 d-------- C:\Program Files\Soldier of Fortune II - Double Helix
2008-03-19 13:30:51 0 d-------- C:\Program Files\Firaxis Games
2008-03-19 01:16:04 32768 --a------ C:\Program Files\SleepTimer.exe <Not Verified; Barry; Sleep Timer>
2008-03-19 00:39:38 0 d-a------ C:\Users\All Users\TEMP
2008-03-18 23:56:57 0 d-------- C:\Program Files\Trend Micro
2008-03-18 23:21:29 0 d-------- C:\Users\All Users\vsosdk
2008-03-18 23:10:38 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-18 22:57:25 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-03-18 19:45:35 0 d-------- C:\Program Files\Sierra
2008-03-18 19:21:30 0 d-------- C:\Program Files\The Witcher
2008-03-18 19:17:55 0 d-------- C:\Program Files\Prey
2008-03-18 18:58:03 0 d-------- C:\Windows\WinRAR
2008-03-18 18:55:42 0 d-------- C:\Users\All Users\Adobe Systems
2008-03-18 18:53:42 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-03-18 18:46:25 0 d-------- C:\Users\All Users\Media Center Programs
2008-03-18 18:41:38 0 d-------- C:\Program Files\Sierra Entertainment
2008-03-18 18:27:10 0 d-------- C:\Program Files\Eidos
2008-03-18 17:51:27 0 d-------- C:\Program Files\Ubisoft
2008-03-18 17:41:07 0 d-------- C:\Program Files\Auslogics
2008-03-18 17:40:41 0 d-------- C:\Program Files\CCleaner
2008-03-18 17:40:15 0 d-------- C:\Program Files\DNA
2008-03-18 17:40:15 0 d-------- C:\Program Files\BitTorrent
2008-03-18 17:16:06 55 --a------ C:\xmp.bat
2008-03-18 17:16:06 222208 --a------ C:\Windows\ausctv32a.dll
2008-03-18 17:09:52 0 d-------- C:\Program Files\Analog Devices
2008-03-18 16:39:43 0 d-------- C:\Users\All Users\LogiShrd
2008-03-18 16:37:47 0 d-------- C:\Program Files\Common Files\Logishrd
2008-03-18 15:39:00 0 d-------- C:\Program Files\Microsoft Works
2008-03-18 15:38:48 0 d-------- C:\Windows\PCHEALTH
2008-03-18 15:38:48 0 d-------- C:\Program Files\Microsoft.NET
2008-03-18 15:37:45 0 d-------- C:\Users\All Users\Microsoft Help
2008-03-18 15:37:22 0 dr-h----- C:\MSOCache
2008-03-18 15:25:47 0 d-------- C:\Users\All Users\EPSON
2008-03-18 14:55:32 0 --a------ C:\Windows\nsreg.dat
2008-03-18 14:49:15 0 d-------- C:\Users\All Users\Grisoft
2008-03-18 14:49:15 0 d-------- C:\Users\All Users\avg7
2008-03-18 14:42:14 0 d-------- C:\Users\All Users\Logitech
2008-03-18 14:42:13 0 d-------- C:\Program Files\Logitech
2008-03-18 14:42:11 0 d-------- C:\Program Files\Common Files\Logitech
2008-03-12 15:58:58 0 d-------- C:\Program Files\RegCleaner
2008-03-08 15:47:21 0 d-------- C:\Windows\pss
2008-03-08 15:43:14 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 15:40:27 0 d-------- C:\Users\All Users\Nero
2008-03-08 15:40:26 0 d-------- C:\Program Files\Nero
2008-03-08 15:40:26 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-08 15:39:39 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-03-08 15:39:39 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-03-08 15:39:39 0 d-------- C:\Program Files\Xvid
2008-03-08 15:38:19 0 d-------- C:\Users\All Users\Adobe
2008-03-08 15:38:09 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-08 15:33:53 262144 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-08 15:33:53 86016 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-03-08 15:29:58 0 d-------- C:\Windows\system32\Futuremark
2008-03-08 15:29:58 3972 --a------ C:\Windows\system32\drivers\PciBus.sys
2008-03-08 15:29:58 5632 --a------ C:\Windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2008-03-08 15:29:58 21664 --a------ C:\Windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2008-03-08 15:28:49 0 d-------- C:\Program Files\Futuremark
2008-03-08 13:24:21 0 d-------- C:\Windows\SoftwareDistribution
2008-03-08 13:21:07 0 d--hs---- C:\System Volume Information
2008-03-08 13:15:13 268435456 --ahs---- C:\WinPEpge.sys
2008-03-08 13:05:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-08 13:05:49 0 d-------- C:\Program Files\ASUS
2008-03-08 12:07:26 0 d-------- C:\Windows\MVUNINST
2008-03-08 12:07:26 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-08 12:07:04 0 d-------- C:\Windows\RegisteredPackages
2008-03-08 12:07:02 0 d-------- C:\Program Files\Windows Media Components
2008-03-08 12:06:41 0 d--hs---- C:\Windows\Installer
2008-03-08 12:04:47 0 d--h----- C:\Windows\msdownld.tmp
2008-03-08 12:04:45 0 d-------- C:\Windows\system32\directx
2008-03-08 11:30:12 0 d-------- C:\Linksys Driver
2008-03-08 11:27:53 0 d-------- C:\Users\All Users\NVIDIA
2008-03-08 11:25:55 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 11:20:35 3636 --a------ C:\Windows\system32\drivers\nvphy.bin
2008-03-08 11:19:58 0 d-------- C:\NVIDIA
2008-03-08 11:15:20 0 d-------- C:\Windows\system32\Macromed
2008-03-08 10:56:41 0 dr------- C:\Users\Hello Matthew!\Searches
2008-03-08 10:56:33 0 dr------- C:\Users\Hello Matthew!\Contacts
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Videos
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Templates
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Start Menu
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\SendTo
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Saved Games
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Recent
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\PrintHood
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Pictures
2008-03-08 10:56:30 2621440 --a------ C:\Users\Hello Matthew!\NTUSER.DAT
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\NetHood
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\My Documents
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Music
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Local Settings
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Links
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Favorites
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Downloads
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Documents
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Desktop
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Cookies
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Application Data
2008-03-08 10:56:30 0 d--h----- C:\Users\Hello Matthew!\AppData
2008-02-25 10:01:41 0 d-------- C:\PerfLogs
2008-02-25 09:48:57 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-25 09:39:48 0 d-------- C:\6f95f52a549217d3492f5a2c0a902e7a
2008-02-25 09:27:50 0 d-------- C:\Windows\Debug
2008-02-25 09:26:59 0 d-------- C:\Windows\Prefetch
2008-02-25 09:26:03 0 d-------- C:\Windows\Panther
2008-02-25 09:25:49 0 d--hs---- C:\Boot


-- Find3M Report ---------------------------------------------------------------

2008-03-20 13:55:21 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Ahead
2008-03-19 12:06:47 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Grisoft
2008-03-18 22:57:50 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\BitTorrent
2008-03-18 22:57:37 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Vso
2008-03-18 22:57:31 74 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.log
2008-03-18 22:57:27 47360 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-18 22:57:27 1144 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.inf
2008-03-18 22:57:27 7887 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.cat
2008-03-18 22:45:57 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\AVG7
2008-03-18 20:02:08 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Auslogics
2008-03-18 18:58:31 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\WinRAR
2008-03-18 18:57:08 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Adobe
2008-03-18 18:53:42 0 d-------- C:\Program Files\Common Files
2008-03-18 18:00:45 0 dr-h----- C:\Users\Hello Matthew!\AppData\Roaming\SecuROM
2008-03-18 14:55:29 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Mozilla
2008-03-18 14:46:57 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Logitech
2008-03-08 11:20:05 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\InstallShield
2008-03-08 11:15:21 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Macromedia
2008-03-08 10:56:34 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Identities
2008-03-04 09:11:57 18804224 --a------ C:\Windows\system32\imageres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-25 10:05:54 174 --ahs---- C:\Program Files\desktop.ini
2008-02-25 10:02:14 0 d-------- C:\Program Files\Windows Calendar
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Sidebar
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Photo Gallery
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Mail
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Journal
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Defender
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Collaboration
2008-02-25 10:02:13 0 d-------- C:\Program Files\Movie Maker


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE0487CA-8B02-431E-BA63-D38844E020B5}]
03/18/2008 05:16 PM 222208 --a------ C:\Windows\ausctv32a.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 01:38 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/11/2007 04:06 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/11/2007 04:06 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/11/2007 04:06 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 09:16 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/29/2007 12:17 AM C:\Windows\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/18/2008 02:50 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 07:34 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 01:33 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/23/2006 05:05 PM]
"EPSON Stylus CX6000 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBIA.exe" [10/18/2006 02:01 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe" [04/04/2007 12:41 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 01:33 AM]

C:\Users\Hello Matthew!\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 5:16:50 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [3/18/2008 4:38:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 03/18/2008 02:49 PM 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c99946e6-ed44-11dc-b26c-806e6f6e6963}]
AutoRun\command- D:\PreyLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8025 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-22 10:49:11 ------------

extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 6400+
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 3581.38 MiB / 2611.78 MiB
Pagefile Memory (total/avail): 7372.74 MiB / 6245.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1883.78 MiB

C: is Fixed (NTFS) - 290.09 GiB total, 204.17 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
R: is Fixed (NTFS) - 8 GiB total, 2.04 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD32 00AAKS-00B3A SCSI Disk Device - 298.09 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 290.09 GiB - C:
\PARTITION1 - Installable File System - 8 GiB - R:

\\.\PHYSICALDRIVE5 - EPSON Stylus Storage USB Device

\\.\PHYSICALDRIVE1 - Generic- Compact Flash USB Device

\\.\PHYSICALDRIVE4 - Generic- MS/MS-Pro USB Device

\\.\PHYSICALDRIVE3 - Generic- SD/MMC USB Device

\\.\PHYSICALDRIVE2 - Generic- SM/xD-Picture USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.519 v7.5.519 (Grisoft)
AS: AVG Anti-Spyware v7, 5, 1, 43 (GRISOFT s.r.o.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Hello Matthew!\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MATTHEW-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Hello Matthew!
LOCALAPPDATA=C:\Users\Hello Matthew!\AppData\Local
LOGONSERVER=\\MATTHEW-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4303
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\HELLOM~1\AppData\Local\Temp
TMP=C:\Users\HELLOM~1\AppData\Local\Temp
USERDOMAIN=Matthew-PC
USERNAME=Hello Matthew!
USERPROFILE=C:\Users\Hello Matthew!
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Hello Matthew!


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
ASUSUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
AusLogics Disk Defrag --> "C:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AusLogics Registry Defrag --> "C:\Program Files\Auslogics\AusLogics Registry Defrag\unins000.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitTorrent --> C:\Program Files\BitTorrent\uninst.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
DVDFab Platinum 4.0.5.0 Final enhanced FullVersion by AxMan cus --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
EPSON Printer Software --> C:\Windows\system32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
FEAR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x9 /zU -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hitman Blood Money --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A804B134-F03D-4EFD-9BC0-DCD257AA1B22}\setup.exe" -l0x9 -removeonly
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word 2007 --> MsiExec.exe /X{91120000-002B-0000-0000-0000000FF1CE}
Microsoft Office Word Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WORDHOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Essentials --> MsiExec.exe /X{B28B351F-1232-46EA-85EF-B8EA91641033}
NVIDIA Drivers --> C:\Windows\system32\nvuninst.exe UninstallGUI
Prey --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A785BBA7-3FB9-4D81-BC35-4A2028915ACB}\setup.exe" -l0x9 -removeonly
Sid Meier's Pirates! --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1632FD86-1BA4-4FC4-8B25-A8C655D63F68} /l1033
Soldier of Fortune II - Double Helix --> C:\PROGRA~1\SOLDIE~1\Uninstall\Unwise.exe /u C:\PROGRA~1\SOLDIE~1\Uninstall\install.log
SoundMAX --> C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The Witcher --> "C:\Program Files\InstallShield Installation Information\{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}\setup.exe" -runfromtemp -l0x0009 -removeonly
Tom Clancy's Rainbow Six Vegas --> C:\Program Files\InstallShield Installation Information\{5731C0A8-B266-451A-8D3F-8066AA21836F}\setup.exe -runfromtemp -l0x0009 -removeonly
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinRAR --> "C:\Windows\WinRAR\uninstall.exe" "/U:C:\Program Files\WinRAR\Uninstall\uninstall.xml"
World in Conflict --> C:\Program Files\InstallShield Installation Information\{F11ADC64-C89E-47F4-A0B3-3665FF859397}\setup.exe -runfromtemp -l0x0009 -removeonly
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

No Errors/Warnings found.


-- End of Deckard's System Scanner: finished at 2008-03-22 10:49:11 ------------

i've had a couple BSOD issues too, and it's a new computer.

IRQL_NOT_LESS_OR_EQUAL

BAD_POOL_HEADER

MEMORY_MANAGEMENT

and one without a message but code 0x008E...

not sure if they are due to malware or anything, but it's been happening...

in this post we will check to see if you have a smitfraud infection - i suspect you have.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

andrewuk

SmitFraudFix v2.307

Scan done at 14:34:37.42, Sat 03/22/2008
Run from C:\Users\Hello Matthew!\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Hello Matthew!


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Hello Matthew!\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\HELLOM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G PCI Adapter
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{349B2BDD-A05E-4C71-8EA3-B12F2BCD23E7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8BE4722-0951-4D7C-859C-EB1D68322EE7}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{349B2BDD-A05E-4C71-8EA3-B12F2BCD23E7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8BE4722-0951-4D7C-859C-EB1D68322EE7}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{349B2BDD-A05E-4C71-8EA3-B12F2BCD23E7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8BE4722-0951-4D7C-859C-EB1D68322EE7}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

i've had a couple BSOD issues too, and it's a new computer.

IRQL_NOT_LESS_OR_EQUAL

BAD_POOL_HEADER

MEMORY_MANAGEMENT

and one without a message but code 0x008E...

not sure if they are due to malware or anything, but it's been happening...

they dont look malware related, i may have to point you to another part of this forum once we have your machine cleaned.


====STEP 1====
Download the HostsXpert 4.2 - Hosts File Manager.

• Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
• Run HostsXpert 4.2 - Hosts File Manager from its new home
• Click on "File Handling".
• Click on "Restore MS Hosts File".
• Click OK on the Confirmation box.
• Click on "Make Read Only?"
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

====STEP 2====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

the SDFix may not work, if so just let me know and we can go another route.

andrewuk

when i try and restore MS hosts file i get an error message: "ERROR: Cannot create file C:Windows\system32\DRIVERS\ETC\hosts"

either your secruity programs or malware is getting in the way. could you disable all your protection programs (AVG, spybot etc) and try again. let me know how it went.

in any event, could you go on and do the SDFix.

andrewuk

tried running sdfix in safe mode and it didn't do anything. runthis.bat would open a small window for a split second and then it would close...

also tried hostsexpert again with spyware, antivirus, and windows defender disabled and still got the same error.

Edited by shawshank24, 22 March 2008 - 05:38 PM.

ok, one last shot before we try another way.

As a Vista user I will require that all the programmes I ask you to run, be run by right clicking the icon and selecting Run as Administrator. Otherwise some programmes may fail to do their job properly

with that in mind, could you try them both again please.

andrewuk

i already tried doing that with both programs...

ok, we will go down this route......

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**