[MEMPHIS1986]

Well the good news is my computer runs alittle faster, the bad news is the problem still remains the same. I still cannot change my desktop background, here is the log

SmitFraudFix v2.339

Scan done at 22:41:31.91, Sun 08/24/2008
Run from C:\Users\Zach\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7B550427-4313-4D08-BD31-FF25631F5622}: DhcpNameServer=10.77.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7B550427-4313-4D08-BD31-FF25631F5622}: DhcpNameServer=10.77.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7B550427-4313-4D08-BD31-FF25631F5622}: DhcpNameServer=10.77.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.77.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.77.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.77.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Advertisements]

Hi,

Well it's good that it's running better, now we just need to sort out the desktop background issue. I'm going to ask you to query a couple of keys in your registry so I can see if there are any restrictions set there.


Click on your Start/Windows button and copy/paste the following line into the start search box just above it, then click enter (nothing will appear to happen).

regedit /e c:\look.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"

Do the same thing with the next line:

regedit /e c:\look2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"

Now navigate to your C: drive and look for 2 text files, look.txt and look2.txt. Open each and copy/paste the text back here from each.


Also, while I'm looking at that, you need to update Java.

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.

• Go to the Sun Java Website
• Click on the download button next to Java Runtime Environment (JRE) 6 Update 7
• Check the circle next to I agree to the Java SE Runtime Environment 6 License Agreement.
• Click on the link Windows Offline Installation, Multi-language and save the downloaded file to your hard disk.
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
• Reboot your computer
• Delete the folder C:\Program Files\Java if present
• Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
• Reboot your computer

And a question...did you install the Ask Toolbar? While it is not really malicious, I would advise you to uninstall it using remove programs in Control Panel. There are better toolbars such as the google or yahoo ones. More info. at the following link:

http://www.benedelma...e/ask-toolbars/

[IndiGenus]

Hi,

Well it's good that it's running better, now we just need to sort out the desktop background issue. I'm going to ask you to query a couple of keys in your registry so I can see if there are any restrictions set there.


Click on your Start/Windows button and copy/paste the following line into the start search box just above it, then click enter (nothing will appear to happen).

regedit /e c:\look.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"

Do the same thing with the next line:

regedit /e c:\look2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"

Now navigate to your C: drive and look for 2 text files, look.txt and look2.txt. Open each and copy/paste the text back here from each.


Also, while I'm looking at that, you need to update Java.

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.

• Go to the Sun Java Website
• Click on the download button next to Java Runtime Environment (JRE) 6 Update 7
• Check the circle next to I agree to the Java SE Runtime Environment 6 License Agreement.
• Click on the link Windows Offline Installation, Multi-language and save the downloaded file to your hard disk.
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
• Reboot your computer
• Delete the folder C:\Program Files\Java if present
• Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
• Reboot your computer

And a question...did you install the Ask Toolbar? While it is not really malicious, I would advise you to uninstall it using remove programs in Control Panel. There are better toolbars such as the google or yahoo ones. More info. at the following link:

http://www.benedelma...e/ask-toolbars/

[MEMPHIS1986]

(Look1)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000000
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000000
"HideStartupScripts"=dword:00000000


(Look2)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"scforceoption"=dword:00000000
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"FilterAdministratorToken"=dword:00000000
"EnableUIADesktopToggle"=dword:00000000
"HideLegacyLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000000
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000000
"HideStartupScripts"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011


And yes i did install it, but dont really use it

[MEMPHIS1986]

the site wont let me download java, it said unable to complete download transaction. I think maybe its cause i am useing wireless internet in Iraq. I don't know.

[IndiGenus]

OK at this point I'm a bit stumped and am going to ask for some backup help from the experts behind the scenes on this desktop issue. I'm not seeing any restrictions in those reg keys. In the meantime let's get a Kaspersky online scan and see if it picks up anything. The scan will likely take several hours so be patient.

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

[IndiGenus]

Hi,

If you haven't started the Kaspersky scan yet please do the step here first.

You have a flash drive infection here. Please make sure the F: USB drive is inserted and run the following script.

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85aeb491-f055-11dc-b101-0016d4c108b7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b415fff0-534b-11dd-b8f3-0016d4c108b7}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




Now using Windows Explorer delete the following file.

F:\Autorun.exe


After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[MEMPHIS1986]

I havent done the kasper scan yet, i have multiple flash drives, 1 thumb and 1 external harddrive, and 1 ipod. Should I scan all 3?

[IndiGenus]

Should I scan all 3?

Yes

Edited by IndiGenus, 25 August 2008 - 07:05 AM.

[MEMPHIS1986]

(RESULTS FOR FLASH DRIVE)

ComboFix 08-08-23.03 - Zach 2008-08-25 17:32:08.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.323 [GMT 3:00]
Running from: C:\Users\Zach\Desktop\ComboFix.exe
Command switches used :: C:\Users\Zach\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-24 22:41 . 2008-08-24 22:41 691 --a------ C:\Users\Zach\AppData\Roaming\GetValue.vbs
2008-08-24 22:41 . 2008-08-24 22:41 35 --a------ C:\Users\Zach\AppData\Roaming\SetValue.bat
2008-08-24 22:36 . 2008-08-23 19:06 89,600 --a------ C:\WINDOWS\System32\AntiXPVSTFix.exe
2008-08-24 20:07 . 2008-08-24 20:07 <DIR> d-------- C:\Users\Zach\AppData\Roaming\Malwarebytes
2008-08-24 20:06 . 2008-08-24 20:06 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-24 20:06 . 2008-08-24 20:06 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-24 20:06 . 2008-08-24 20:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 20:06 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\System32\drivers\mbamswissarmy.sys
2008-08-24 20:06 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\System32\drivers\mbam.sys
2008-08-24 17:50 . 2008-08-24 22:41 5,042 --a------ C:\WINDOWS\System32\tmp.reg
2008-08-24 17:49 . 2008-08-24 22:36 <DIR> d-------- C:\WINDOWS\System32\SmitfraudFix
2008-08-24 11:59 . 2008-08-24 11:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 21:46 . 2008-08-23 21:47 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-23 21:12 . 2008-08-23 21:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-23 21:10 . 2008-08-23 22:03 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-23 21:10 . 2008-08-23 22:03 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-23 21:10 . 2008-08-23 21:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-13 08:02 . 2008-07-16 04:32 2,048 --a------ C:\WINDOWS\System32\tzres.dll
2008-08-12 23:00 . 2008-06-27 04:55 1,383,424 --a------ C:\WINDOWS\System32\mshtml.tlb
2008-08-12 23:00 . 2008-06-27 07:15 827,392 --a------ C:\WINDOWS\System32\wininet.dll
2008-08-12 22:14 . 2008-06-19 06:31 361,984 --a------ C:\WINDOWS\System32\IPSECSVC.DLL
2008-08-12 21:53 . 2008-04-10 08:12 738,304 --a------ C:\WINDOWS\System32\inetcomm.dll
2008-08-12 21:47 . 2008-04-18 08:48 269,312 --a------ C:\WINDOWS\System32\es.dll
2008-08-10 20:18 . 2008-08-10 20:24 <DIR> d-------- C:\Poker Application
2008-08-06 23:18 . 2008-08-06 23:18 <DIR> d-------- C:\Program Files\iTunes
2008-08-06 23:18 . 2008-08-06 23:18 <DIR> d-------- C:\Program Files\iPod
2008-07-31 19:23 . 2008-07-31 19:23 <DIR> d--hs---- C:\found.001
2008-07-29 00:55 . 2008-07-29 00:55 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 14:19 --------- d---a-w C:\Program Files\Sportsbook Poker
2008-08-13 05:00 --------- d-----w C:\Program Files\Windows Mail
2008-07-28 21:56 --------- d-----w C:\Users\Zach\AppData\Roaming\Apple Computer
2008-07-28 17:27 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-20 20:01 --------- d-----w C:\Program Files\AskBar
2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-07-18 20:01 --------- d-----w C:\ProgramData\Sportsbook Poker
2008-07-10 06:35 32,000 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-07-06 10:26 --------- d-----w C:\ProgramData\Apple Computer
2008-07-06 10:15 --------- d-----w C:\Program Files\QuickTime
2008-07-06 10:15 --------- d-----w C:\Program Files\Bonjour
2008-07-06 10:11 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-01 19:59 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-29 12:33 174 --sha-w C:\Program Files\desktop.ini
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Journal
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Calendar
2008-06-29 12:23 --------- d-----w C:\Program Files\Windows Defender
2008-06-29 11:46 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-29 11:46 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-03-06 17:16 0 ----a-w C:\Users\Public\Public.exe
2007-12-24 20:12 82 ----a-w C:\Users\Zach\AppData\Roaming\wklnhst.dat
2001-11-11 00:28 342 ----a-w C:\Program Files\setup.bat
2001-11-10 19:33 12,538,001 ----a-w C:\Program Files\unpack.exe
2001-11-10 19:32 29,696 ----a-w C:\Program Files\STARTW.EXE
2001-11-10 18:11 41,563 ----a-w C:\Program Files\RegSetup.exe
2001-10-17 21:03 163,840 ----a-w C:\Program Files\swgbg.exe
2000-03-18 08:29 49,152 ----a-w C:\Program Files\inject.exe
2007-10-02 10:25 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-02 10:25 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-02 10:25 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-24_21.21.23.77 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-24 04:29:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-24 19:44:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-24 04:29:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-24 19:44:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-24 04:31:05 1,835,008 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-24 19:45:52 1,835,008 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-24 17:32:29 1,835,008 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-25 08:47:02 1,835,008 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-24 04:33:48 101,350 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-25 14:29:12 101,350 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-24 04:33:48 595,684 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-25 14:29:12 595,684 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-24 04:31:40 8,968 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267774855-3434458095-2078165290-1000_UserData.bin
+ 2008-08-24 19:46:35 8,968 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267774855-3434458095-2078165290-1000_UserData.bin
- 2008-08-24 04:31:40 52,208 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-24 19:46:35 52,326 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-24 04:31:38 49,570 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-24 19:46:30 49,714 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 10:33 125952]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 01:43 4670704]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 03:15 221184]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 10:33 1233920]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-29 01:59 95800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:50 1021224]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-12-03 03:32 167936]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 21:50 46704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2006-12-07 10:43 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 17:38 78008]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Waiting1210"="C:\Windows\AStiDog1210.exe" [2007-03-23 10:46 60416]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"Computer Alarm Clock"="C:\PROGRA~1\COMPUT~1\cac.exe" [2007-09-06 15:29 696832]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

C:\Users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe [2005-08-18 22:44:26 21504]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 12:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 11:01:50 734872]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe [2006-12-07 10:19:49 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{912E4D46-9443-4355-BFFD-FB17D1033BBB}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{88E37DE1-BF38-4EAF-9FE1-518E9C159753}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A03BCDD1-BC60-4290-B48B-B85FE0EE7605}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{F0484DEF-8161-4100-BC94-B92C63F6C992}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{117D3D41-9CBC-4A77-8F6F-FD23E365AB86}"= UDP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{591AC6C7-9C04-4FC7-A1D7-860D35446253}"= C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections:Compaq Connections
"{CF896297-B062-46A0-9418-340FAACC54EB}"= UDP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{C3270D6A-EBA1-48AF-B455-D06CEB6E7E68}"= TCP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{B2761C83-086B-460F-B618-FC413E458717}"= UDP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{63836B04-D758-4976-98BF-91A26EA796F5}"= TCP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{1728CC25-CFF7-4DE1-922A-B761022F0C74}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{602094BE-385C-4951-A490-686FB9257ECF}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{75D4F8F0-3B32-4451-B767-AC96FEC0289E}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6A0DEB76-5B19-4418-A0BB-06F266E551C6}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3AF834DA-4EDF-4596-8A60-07C784A5D13F}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18D85347-A6E7-48C4-8DEB-A18714534CA5}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE4B48D9-8230-420A-9BAB-B97B4BC463DF}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C213E8C3-CEAC-4E97-B836-86023BAC388E}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4978747C-0BE1-4BB3-9B42-7070E51DC9D0}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A6C7D070-2272-4835-A1E5-CC984CE01C39}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{234153EE-68AA-4286-AB6E-43E38ADEB8D2}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{415308DA-2616-411E-9FAE-18A22B480521}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{64F90B18-9EC2-44E2-BBB5-C5D871DAFBAC}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{725D8671-098E-4786-88C7-B4FC9CF23CE4}C:\\users\\zach\\shared\\pc games - unreal tournament\\unreal tournament\\system\\unrealtournament.exe"= UDP:C:\users\zach\shared\pc games - unreal tournament\unreal tournament\system\unrealtournament.exe:unrealtournament.exe
"UDP Query User{25978C31-DB7B-4222-947D-EC6A303A77F4}C:\\users\\zach\\shared\\pc games - unreal tournament\\unreal tournament\\system\\unrealtournament.exe"= TCP:C:\users\zach\shared\pc games - unreal tournament\unreal tournament\system\unrealtournament.exe:unrealtournament.exe
"TCP Query User{F6B79F99-8F22-4B0E-93B4-8133591BAABA}C:\\program files\\electronic arts\\sports car gt\\spcar.exe"= UDP:C:\program files\electronic arts\sports car gt\spcar.exe:Sports Car GT
"UDP Query User{ECD9BC41-DE76-4238-B91B-CF73BA2AA687}C:\\program files\\electronic arts\\sports car gt\\spcar.exe"= TCP:C:\program files\electronic arts\sports car gt\spcar.exe:Sports Car GT
"TCP Query User{6BE8738C-6FDF-48FA-93D6-CF7BD0613266}C:\\program files\\webmoney\\webmoney.exe"= Disabled:UDP:C:\program files\webmoney\webmoney.exe:WebMoney Keeper Classic Runner Module
"UDP Query User{D358E598-CBD6-41DD-8D5D-E013644C33E5}C:\\program files\\webmoney\\webmoney.exe"= Disabled:TCP:C:\program files\webmoney\webmoney.exe:WebMoney Keeper Classic Runner Module
"TCP Query User{2DC7B35B-1159-467C-971B-DCFA0CC6DC51}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{0474DB1D-23F7-495D-AC55-362076E4DE0A}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{A25DF0D2-01CF-40A4-9BCE-89C77FE22F3D}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{95B4A3AF-28F1-44B0-A505-EA2884E5F5B9}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A2484848-D84F-4F61-96FD-CD70EDF44CD1}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{D6E107F9-8FA0-49A0-866D-DB47E535AFFF}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{3DC88B57-690A-4364-8AFA-C222A0251EEB}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{E1A7DA1F-6AE6-4E2C-9F18-41172340DDA2}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"{347735A6-9EC2-4181-BC61-995AAFD977BA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{29B8E9CC-46FF-4423-A3FC-3493BDCD28D2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-07-19 17:35]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 17:37]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 17:36]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 02:32]
S3 CAM1210;USB video camera;C:\Windows\system32\Drivers\cam1210.sys [2007-03-22 17:20]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 08:53]
.
Contents of the 'Scheduled Tasks' folder

2008-08-24 C:\Windows\Tasks\User_Feed_Synchronization-{D5382518-FB8F-4594-929B-C4BE29E64F73}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-19 10:33]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 17:36:43
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 17:39:03
ComboFix-quarantined-files.txt 2008-08-25 14:38:25
ComboFix2.txt 2008-08-24 18:22:37

Pre-Run: 32,643,350,528 bytes free
Post-Run: 32,644,345,856 bytes free

229 --- E O F --- 2008-08-13 05:03:44



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:46:41, on 8/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\AStiDog1210.exe
C:\Program Files\Computer Alarm Clock\cac.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AskBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Waiting1210] C:\Windows\AStiDog1210.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Computer Alarm Clock] C:\PROGRA~1\COMPUT~1\cac.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O8 - Extra context menu item: &Save Image to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimagetofolder.html
O8 - Extra context menu item: &Save Image to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimages.html
O8 - Extra context menu item: &Save Link to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveltof.html
O8 - Extra context menu item: &Save Link to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savelink.html
O8 - Extra context menu item: &Save Page to Folder... - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savepagetofolder.html
O8 - Extra context menu item: &Save this Page to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savewebpage.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9244 bytes

[MEMPHIS1986]

(RESULTS FOR EXTERNAL HARDDRIVE)

ComboFix 08-08-23.03 - Zach 2008-08-25 17:54:24.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.259 [GMT 3:00]
Running from: C:\Users\Zach\Desktop\ComboFix.exe
Command switches used :: C:\Users\Zach\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-24 22:41 . 2008-08-24 22:41 691 --a------ C:\Users\Zach\AppData\Roaming\GetValue.vbs
2008-08-24 22:41 . 2008-08-24 22:41 35 --a------ C:\Users\Zach\AppData\Roaming\SetValue.bat
2008-08-24 22:36 . 2008-08-23 19:06 89,600 --a------ C:\WINDOWS\System32\AntiXPVSTFix.exe
2008-08-24 20:07 . 2008-08-24 20:07 <DIR> d-------- C:\Users\Zach\AppData\Roaming\Malwarebytes
2008-08-24 20:06 . 2008-08-24 20:06 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-24 20:06 . 2008-08-24 20:06 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-24 20:06 . 2008-08-24 20:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 20:06 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\System32\drivers\mbamswissarmy.sys
2008-08-24 20:06 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\System32\drivers\mbam.sys
2008-08-24 17:50 . 2008-08-24 22:41 5,042 --a------ C:\WINDOWS\System32\tmp.reg
2008-08-24 17:49 . 2008-08-24 22:36 <DIR> d-------- C:\WINDOWS\System32\SmitfraudFix
2008-08-24 11:59 . 2008-08-24 11:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 21:46 . 2008-08-23 21:47 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-23 21:12 . 2008-08-23 21:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-23 21:10 . 2008-08-23 22:03 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-23 21:10 . 2008-08-23 22:03 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-23 21:10 . 2008-08-23 21:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-13 08:02 . 2008-07-16 04:32 2,048 --a------ C:\WINDOWS\System32\tzres.dll
2008-08-12 23:00 . 2008-06-27 04:55 1,383,424 --a------ C:\WINDOWS\System32\mshtml.tlb
2008-08-12 23:00 . 2008-06-27 07:15 827,392 --a------ C:\WINDOWS\System32\wininet.dll
2008-08-12 22:14 . 2008-06-19 06:31 361,984 --a------ C:\WINDOWS\System32\IPSECSVC.DLL
2008-08-12 21:53 . 2008-04-10 08:12 738,304 --a------ C:\WINDOWS\System32\inetcomm.dll
2008-08-12 21:47 . 2008-04-18 08:48 269,312 --a------ C:\WINDOWS\System32\es.dll
2008-08-10 20:18 . 2008-08-10 20:24 <DIR> d-------- C:\Poker Application
2008-08-06 23:18 . 2008-08-06 23:18 <DIR> d-------- C:\Program Files\iTunes
2008-08-06 23:18 . 2008-08-06 23:18 <DIR> d-------- C:\Program Files\iPod
2008-07-31 19:23 . 2008-07-31 19:23 <DIR> d--hs---- C:\found.001
2008-07-29 00:55 . 2008-07-29 00:55 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 14:19 --------- d---a-w C:\Program Files\Sportsbook Poker
2008-08-13 05:00 --------- d-----w C:\Program Files\Windows Mail
2008-07-28 21:56 --------- d-----w C:\Users\Zach\AppData\Roaming\Apple Computer
2008-07-28 17:27 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-20 20:01 --------- d-----w C:\Program Files\AskBar
2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-07-18 20:01 --------- d-----w C:\ProgramData\Sportsbook Poker
2008-07-10 06:35 32,000 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-07-06 10:26 --------- d-----w C:\ProgramData\Apple Computer
2008-07-06 10:15 --------- d-----w C:\Program Files\QuickTime
2008-07-06 10:15 --------- d-----w C:\Program Files\Bonjour
2008-07-06 10:11 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-01 19:59 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-29 12:33 174 --sha-w C:\Program Files\desktop.ini
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Journal
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-29 12:24 --------- d-----w C:\Program Files\Windows Calendar
2008-06-29 12:23 --------- d-----w C:\Program Files\Windows Defender
2008-06-29 11:46 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-29 11:46 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-03-06 17:16 0 ----a-w C:\Users\Public\Public.exe
2007-12-24 20:12 82 ----a-w C:\Users\Zach\AppData\Roaming\wklnhst.dat
2001-11-11 00:28 342 ----a-w C:\Program Files\setup.bat
2001-11-10 19:33 12,538,001 ----a-w C:\Program Files\unpack.exe
2001-11-10 19:32 29,696 ----a-w C:\Program Files\STARTW.EXE
2001-11-10 18:11 41,563 ----a-w C:\Program Files\RegSetup.exe
2001-10-17 21:03 163,840 ----a-w C:\Program Files\swgbg.exe
2000-03-18 08:29 49,152 ----a-w C:\Program Files\inject.exe
2007-10-02 10:25 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-02 10:25 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-02 10:25 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-24_21.21.23.77 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-24 04:29:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-24 19:44:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-24 04:29:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-24 19:44:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-24 04:31:05 1,835,008 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-24 19:45:52 1,835,008 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-24 17:32:29 1,835,008 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-25 08:47:02 1,835,008 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-24 04:33:48 101,350 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-25 14:53:38 101,350 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-24 04:33:48 595,684 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-25 14:53:38 595,684 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-24 04:31:40 8,968 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267774855-3434458095-2078165290-1000_UserData.bin
+ 2008-08-24 19:46:35 8,968 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3267774855-3434458095-2078165290-1000_UserData.bin
- 2008-08-24 04:31:40 52,208 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-24 19:46:35 52,326 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-24 04:31:38 49,570 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-24 19:46:30 49,714 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 10:33 125952]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 01:43 4670704]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 03:15 221184]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 10:33 1233920]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-29 01:59 95800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:50 1021224]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-12-03 03:32 167936]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 21:50 46704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2006-12-07 10:43 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 17:38 78008]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Waiting1210"="C:\Windows\AStiDog1210.exe" [2007-03-23 10:46 60416]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"Computer Alarm Clock"="C:\PROGRA~1\COMPUT~1\cac.exe" [2007-09-06 15:29 696832]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

C:\Users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe [2005-08-18 22:44:26 21504]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 12:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 11:01:50 734872]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe [2006-12-07 10:19:49 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{912E4D46-9443-4355-BFFD-FB17D1033BBB}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{88E37DE1-BF38-4EAF-9FE1-518E9C159753}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A03BCDD1-BC60-4290-B48B-B85FE0EE7605}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{F0484DEF-8161-4100-BC94-B92C63F6C992}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{117D3D41-9CBC-4A77-8F6F-FD23E365AB86}"= UDP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{591AC6C7-9C04-4FC7-A1D7-860D35446253}"= C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections:Compaq Connections
"{CF896297-B062-46A0-9418-340FAACC54EB}"= UDP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{C3270D6A-EBA1-48AF-B455-D06CEB6E7E68}"= TCP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{B2761C83-086B-460F-B618-FC413E458717}"= UDP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{63836B04-D758-4976-98BF-91A26EA796F5}"= TCP:C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{1728CC25-CFF7-4DE1-922A-B761022F0C74}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{602094BE-385C-4951-A490-686FB9257ECF}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{75D4F8F0-3B32-4451-B767-AC96FEC0289E}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6A0DEB76-5B19-4418-A0BB-06F266E551C6}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3AF834DA-4EDF-4596-8A60-07C784A5D13F}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18D85347-A6E7-48C4-8DEB-A18714534CA5}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AE4B48D9-8230-420A-9BAB-B97B4BC463DF}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C213E8C3-CEAC-4E97-B836-86023BAC388E}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4978747C-0BE1-4BB3-9B42-7070E51DC9D0}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A6C7D070-2272-4835-A1E5-CC984CE01C39}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{234153EE-68AA-4286-AB6E-43E38ADEB8D2}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{415308DA-2616-411E-9FAE-18A22B480521}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{64F90B18-9EC2-44E2-BBB5-C5D871DAFBAC}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{725D8671-098E-4786-88C7-B4FC9CF23CE4}C:\\users\\zach\\shared\\pc games - unreal tournament\\unreal tournament\\system\\unrealtournament.exe"= UDP:C:\users\zach\shared\pc games - unreal tournament\unreal tournament\system\unrealtournament.exe:unrealtournament.exe
"UDP Query User{25978C31-DB7B-4222-947D-EC6A303A77F4}C:\\users\\zach\\shared\\pc games - unreal tournament\\unreal tournament\\system\\unrealtournament.exe"= TCP:C:\users\zach\shared\pc games - unreal tournament\unreal tournament\system\unrealtournament.exe:unrealtournament.exe
"TCP Query User{F6B79F99-8F22-4B0E-93B4-8133591BAABA}C:\\program files\\electronic arts\\sports car gt\\spcar.exe"= UDP:C:\program files\electronic arts\sports car gt\spcar.exe:Sports Car GT
"UDP Query User{ECD9BC41-DE76-4238-B91B-CF73BA2AA687}C:\\program files\\electronic arts\\sports car gt\\spcar.exe"= TCP:C:\program files\electronic arts\sports car gt\spcar.exe:Sports Car GT
"TCP Query User{6BE8738C-6FDF-48FA-93D6-CF7BD0613266}C:\\program files\\webmoney\\webmoney.exe"= Disabled:UDP:C:\program files\webmoney\webmoney.exe:WebMoney Keeper Classic Runner Module
"UDP Query User{D358E598-CBD6-41DD-8D5D-E013644C33E5}C:\\program files\\webmoney\\webmoney.exe"= Disabled:TCP:C:\program files\webmoney\webmoney.exe:WebMoney Keeper Classic Runner Module
"TCP Query User{2DC7B35B-1159-467C-971B-DCFA0CC6DC51}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{0474DB1D-23F7-495D-AC55-362076E4DE0A}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{A25DF0D2-01CF-40A4-9BCE-89C77FE22F3D}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{95B4A3AF-28F1-44B0-A505-EA2884E5F5B9}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A2484848-D84F-4F61-96FD-CD70EDF44CD1}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{D6E107F9-8FA0-49A0-866D-DB47E535AFFF}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{3DC88B57-690A-4364-8AFA-C222A0251EEB}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{E1A7DA1F-6AE6-4E2C-9F18-41172340DDA2}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"{347735A6-9EC2-4181-BC61-995AAFD977BA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{29B8E9CC-46FF-4423-A3FC-3493BDCD28D2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-07-19 17:35]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 17:37]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 17:36]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 02:32]
S3 CAM1210;USB video camera;C:\Windows\system32\Drivers\cam1210.sys [2007-03-22 17:20]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 08:53]
.
Contents of the 'Scheduled Tasks' folder

2008-08-24 C:\Windows\Tasks\User_Feed_Synchronization-{D5382518-FB8F-4594-929B-C4BE29E64F73}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-19 10:33]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 17:57:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 18:00:10
ComboFix-quarantined-files.txt 2008-08-25 14:59:29
ComboFix2.txt 2008-08-25 14:39:04
ComboFix3.txt 2008-08-24 18:22:37

Pre-Run: 32,676,802,560 bytes free
Post-Run: 32,643,448,832 bytes free

230 --- E O F --- 2008-08-13 05:03:44

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:03:32, on 8/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\AStiDog1210.exe
C:\Program Files\Computer Alarm Clock\cac.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AskBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskBar\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Waiting1210] C:\Windows\AStiDog1210.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Computer Alarm Clock] C:\PROGRA~1\COMPUT~1\cac.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O8 - Extra context menu item: &Save Image to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimagetofolder.html
O8 - Extra context menu item: &Save Image to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveimages.html
O8 - Extra context menu item: &Save Link to Folder - res://C:\Program Files\AskBar\bar\bin\askBar.dll/saveltof.html
O8 - Extra context menu item: &Save Link to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savelink.html
O8 - Extra context menu item: &Save Page to Folder... - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savepagetofolder.html
O8 - Extra context menu item: &Save this Page to MyStuff - res://C:\Program Files\AskBar\bar\bin\askBar.dll/savewebpage.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9153 bytes

[MEMPHIS1986]

I DIDNT FIND ANY AUTORUN UNDER ANY OF THE F:/

also now that you mention flash virus, i did notice a couple of months ago a sound coming from the computer that should not of been, you know the sound you hear when you plug in a USB drive, i kept hearing that sound periodically even when there was no USB in the port. Also my display settings would change to super huge, i had to manually reconfigure the displa settings, it kept trying to connect to a external display. Then certain files were acting up locking me out, i got rid of that file a long time ago though, it took sevral tries. There were also unknown users added to my list of admin users, which are still there that i cant seem to get rid of. AVAST warned me i had malware infections back when i had limewire, actually i still have my AVAST logs if you want to check them out

[IndiGenus]

Hi,

Just to make sure there's no Autorun file make sure hidden files and folders are enabled:

http://www.bleepingc...utorial130.html

Please check again after doing so.

Let's also go ahead and run Kaspersky as advised earlier.

I assume you still have the desktop background issue?

[MEMPHIS1986]

i tried kasper and it won't let me download or run on the net. The process keeps failing. I was trying to reboot my computer back to factorysettings, but i cant find the option, do you think this willl help at all? And all of my system restore points were deleted by an unknown admin called MSCMX or something like that.

[IndiGenus]

I was trying to reboot my computer back to factorysettings, but i cant find the option, do you think this willl help at all?

This is different from a system restore. System restore will not remove your files. To do this you need the system restore disk, or most laptops put it on the D: drive also, you would have to check your laptops' documentation. That will destroy all of your data so you would need to back up first if there's anything you want to keep. And yes that would solve the issue.

My goal is to try and clean you up without doing that. If we can get you clean then I could refer you over to the Windows help forums here. If you want to continue the cleaning try this scanner.

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:

• Go to http://support.f-sec.../home/ols.shtml
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
• Click Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take several hours, so please be patient

[MEMPHIS1986]

I did the restore to factory settings. It did solve my deskptop issue, but i still feel there is something still lurking. This would be my second system restore. I think the root cause to my problem was limewire