ok here is the combofix log
ComboFix 08-07-24.6 - 4est the best 2008-07-26 15:55:51.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.218 [GMT -7:00]
Running from: C:\Users\4est the best\Downloads\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Users\4est the best\AppData\Roaming\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 15:37 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-26 15:37 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-25 21:57 . 2008-07-25 23:02 <DIR> d-------- C:\Program Files\Navilog1
2008-07-25 19:39 . 2008-07-25 19:39 <DIR> d-------- C:\_OTMoveIt
2008-07-25 02:43 . 2008-07-25 02:43 <DIR> d-------- C:\Program Files\Sun
2008-07-25 01:59 . 2008-07-25 01:59 <DIR> d-------- C:\Deckard
2008-07-24 15:10 . 2008-07-24 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 14:57 . 2008-07-24 14:57 <DIR> d--hs---- C:\found.000
2008-07-24 01:18 . 2008-06-25 17:33 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-24 01:18 . 2008-06-25 20:22 9,845,248 --a------ C:\Windows\System32\NlsData000a.dll
2008-07-24 01:18 . 2008-06-25 20:22 4,874,240 --a------ C:\Windows\System32\NlsData0009.dll
2008-07-24 01:18 . 2008-06-25 17:33 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-24 01:18 . 2008-06-25 20:22 2,641,408 --a------ C:\Windows\System32\NlsData000c.dll
2008-07-24 01:18 . 2008-06-25 20:22 2,340,864 --a------ C:\Windows\System32\NlsData000d.dll
2008-07-24 01:18 . 2008-06-25 20:22 797,696 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-24 01:16 . 2008-06-25 17:33 11,722,752 --a------ C:\Windows\System32\NlsLexicons0001.dll
2008-07-12 00:51 . 2008-07-12 00:51 <DIR> d-------- C:\Windows\CheckSur
2008-06-26 00:01 . 2008-06-26 00:03 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-06-26 00:01 . 2008-06-26 00:03 <DIR> d-------- C:\ProgramData\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 10:08 --------- d-----w C:\Program Files\Real
2008-07-25 09:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 09:48 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-07-25 09:43 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-25 09:41 --------- d-----w C:\Program Files\Java
2008-07-25 09:40 --------- d-----w C:\Program Files\Rhapsody
2008-07-25 09:39 --------- d-----w C:\Program Files\Shockwave.com
2008-07-25 09:36 --------- d-----w C:\Users\4est the best\AppData\Roaming\Microsoft Game Studios
2008-07-25 09:36 --------- d-----w C:\ProgramData\Microsoft Games
2008-07-25 09:36 --------- d-----w C:\Program Files\Microsoft Games
2008-07-25 09:34 --------- d-----w C:\ProgramData\AOL
2008-07-12 08:53 174 --sha-w C:\Program Files\desktop.ini
2008-07-12 07:51 --------- d-----w C:\Program Files\Windows Mail
2008-06-26 06:47 2,914,296 ----a-w C:\Users\4est the best\computer cleaner.exe
2008-06-26 06:47 --------- d-----w C:\Program Files\CCleaner
2008-06-26 06:40 9,722,720 ----a-w C:\Users\4est the best\spybot.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-24 07:05 --------- d-----w C:\Program Files\Game_Maker7
2008-06-24 07:04 8,183,675 ----a-w C:\Users\4est the best\gmaker.exe
2008-06-18 14:13 --------- d---a-w C:\ProgramData\TEMP
2008-06-02 10:02 --------- d-----w C:\Program Files\CONEXANT
2008-05-24 00:07 258 ----a-w C:\Users\4est the best\AppData\Roaming\wklnhst.dat
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-04 16:12 13,401 ----a-w C:\Users\4est the best\AppData\Roaming\nvModes.dat
2008-03-30 16:14 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-30 16:14 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-30 16:14 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 05:35 125440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-14 21:33 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 20:36 827392]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05 1410304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 08:00 185896]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"EarthLink2"= TCP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"EarthLink1"= UDP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"TCP Query User{31DC0588-866C-4FF1-B25F-4F84AE2E7FCE}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{07EA904F-A36C-4F3E-B2C5-A19A4FD92626}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{00623C06-2885-4E61-9471-AC8742A8733B}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1113E5F1-5258-4B91-9305-CB290B37704C}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{FB9145F6-D1E8-474B-ABAC-98E587BF73F7}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{29C35424-A177-4EDB-A72B-C417142DEE16}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"TCP Query User{82000440-3995-492E-81BD-998B6D1CEF47}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{BD2EA2A4-1D4C-45E7-9FBF-31353F12A968}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 02:32]
R3 NWADI;NWADI Bus Enumerator;C:\Windows\system32\DRIVERS\NWADIenum.sys [2006-09-26 14:29]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\Windows\system32\DRIVERS\nwusbser2.sys [2006-09-14 16:45]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2007-08-21 10:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2e7ee53-003b-11dd-9b45-0016d3a9fd4f}]
\shell\AutoRun\command - F:\PortableVault.exe
*Newly Created Service* - MBAMSWISSARMY
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-07-26 16:04:54
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-26 16:12:36
ComboFix-quarantined-files.txt 2008-07-26 23:12:18
Pre-Run: 103,333,748,736 bytes free
Post-Run: 103,346,667,520 bytes free
138 --- E O F --- 2008-07-26 04:57:20
and here is the hijacktis log. how does everything look?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:53 PM, on 7/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\4est the best\AppData\Local\amsoqyyq.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\4est the best\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZC0KMEGZ\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\4ESTTH~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.h...a...n&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.h...a...n&pf=laptopR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [amsoqyyq] c:\users\4est the best\appdata\local\amsoqyyq.exe amsoqyyq
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) -
http://www.nvidia.co.../sysreqlab2.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://www.popcap.co...ploader_v10.cabO23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7538 bytes