HJT Log - Virus startup trouble

Unknown

When I boot into Windows Vista i get a black screen and My Documents folder, i have to open task manager where it tells me explorer.exe is open but i have to manually open it to get my computer going. I then get a message telling me that awvtu.dll is missing. If i run my Kaspersky scanner and delete the trogan that it finds (including ddaby.exe) i lose access to some programs such as Weathereye and Windows Live Messenger. If i leave Kaspersky on it finds the same trogan repeatably until i either allow it in, or wish to open a program.

I could not run Panda as there is no Vista scan.

Help from the forum would be very much appreciated.

Here is the Kaspersky log... (Please note Windows Vista is loaded on D drive.)

detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\Program Files\Windows Live\Messenger\msnmsgr.exe
deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\Users\Paul\AppData\Local\Temp\TMP135C.tmp
detected: adware not-a-virus:AdWare.Win32.Mostofate.aa File: C:\Documents and Settings\Paul\Desktop\BearShareV6.exe//WiseSFXDropper//WISE0044.BIN//stream//data0005
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo Running module: D:\Program Files\Windows Live\Messenger\msnmsgr.exe
detected: adware not-a-virus:AdWare.Win32.Virtumonde.din File: d:\windows\system32\rlpojfnc.dll

Here is the HJT log...

Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Live\Messenger\msnmsgr .exe
D:\Program Files\Windows Live\Messenger\msnmsgr .exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Windows\system32\rundll32.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Windows\system32\DllHost.exe
D:\Windows\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
F3 - REG:win.ini: load=D:\Windows\system32\ddaby.exe
O1 - Hosts: ::1 localhost
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [EnvyHFCPL] D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe D:\Windows\system32\awvtu.dll,#1
O4 - HKLM\..\Run: [3cc8694a] rundll32.exe "D:\Windows\system32\rlpojfnc.dll",b
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5564 bytes

captaincrash

Below is the new HJT log as per the 72hour thread.

Since last post I have disabled Kaspersky because it started to become more of a problem rather then a help.

All problems have continued as well as a homepage jacker in Internet Explorer and the system is running very slow now.

Thanks again,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:40 AM, on 09/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Live\Messenger\msnmsgr .exe
D:\Program Files\Windows Live\Messenger\msnmsgr .exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Windows\system32\rundll32.exe
D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
D:\Windows\System32\mobsync.exe
D:\Windows\system32\rundll32.exe
D:\Windows\explorer.exe
D:\Windows\system32\rundll32.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
F3 - REG:win.ini: load=D:\Windows\system32\ddaby.exe
O1 - Hosts: ::1 localhost
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [EnvyHFCPL] D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe D:\Windows\system32\awvtu.dll,#1
O4 - HKLM\..\Run: [3cc8694a] rundll32.exe "D:\Windows\system32\xoyjuunf.dll",b
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: DomainService - - D:\Windows\system32\cebmphcv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5972 bytes

Trogan

Hi captaincrash,

Your computer is quite infected. There is a file I would like scanned please:

• Go to VirusTotal
• Copy and paste the following file path into the Search Box in the middle of the page:
• C:\WINDOWS\Config\lsass.exe
• Now, click on the Send File button
• Save a copy of the Anti-Virus results. Post the results in your next reply.

captaincrash

Thanks trogan,

Its not allowing me to scan that file.

0 bytes size received is the result im getting.

Trogan

Hi captaincrash,

Please go to D:\Program Files\Trend Micro\HijackThis and rename HijackThis.exe to Scanner.exe.

Now, please do the following...

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
F3 - REG:win.ini: load=D:\Windows\system32\ddaby.exe

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. Run HijackThis and click on Open the Misc Tools section.
Click on delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\Config\lsass.exe

When you are asked "Do you want to restart your computer now?", click NO.
Repeat these steps for the following file(s) and this time, when you reach the end, click OK:

D:\Windows\system32\ddaby.exe

Your PC MUST reboot to delete the files!

3. I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

4. Please download ComboFix to your Desktop.

• Double click on Combofix.exe & follow the prompts.
• When the scan has finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

5. Please post the folloiwng...

Uninstall list
ComboFix log
New HijacKThis log

captaincrash

Thanks for the quick response Trogan...

Uninstall log

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Audacity 1.3.4 (Unicode)
Belarc Advisor 7.2
Blaze Media Pro
Combined Community Codec Pack 2007-07-22
Google Earth
HijackThis 2.0.2
Java(TM) 6 Update 3
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Web Access S/MIME
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.11)
NVIDIA Drivers
Orbit Downloader
River Past Audio Converter
River Past Audio Converter Pro
SopCast 2.0.4
Spybot - Search & Destroy
System Requirements Lab
Update for Outlook 2007 Junk Email Filter (kb943597)
URL Snooper v2.20.02
VIA Platform Device Manager
VideoLAN VLC media player 0.8.6d
Winamp
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinPcap 4.1 beta
WinRAR archiver

Combo Log

ComboFix 08-01-10.2 - Paul 2008-01-10 18:16:25.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1300 [GMT -5:00]
Running from: D:\Users\Paul\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - system32: deleted 23041 bytes in 2 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Windows\system32\adeuktet.dll
D:\Windows\system32\cebmphcv.exe
D:\Windows\System32\cnfjoplr.ini
D:\Windows\system32\cnpeivyh.dll
D:\Windows\system32\cyjquupk.dll
D:\Windows\system32\ddaby.dll
D:\Windows\system32\ddaby.exe
D:\Windows\system32\demrgsdo.exe
D:\Windows\system32\dksofhjt.dll
D:\Windows\System32\ewitdepm.ini
D:\Windows\System32\fgjlm.ini
D:\Windows\System32\fgjlm.ini2
D:\Windows\system32\fhwoqcpl.dll
D:\Windows\System32\fnuujyox.ini
D:\Windows\system32\gjfarnxw.dll
D:\Windows\System32\gktfkuex.ini
D:\Windows\system32\hvermqwi.exe
D:\Windows\system32\mpedtiwe.dll
D:\Windows\System32\mtedoapr.ini
D:\Windows\system32\nwyoargf.exe
D:\Windows\system32\orkwbbnm.dll
D:\Windows\System32\peoeqncc.ini
D:\Windows\system32\rlpojfnc.dll
D:\Windows\system32\sxacuyws.dll
D:\Windows\System32\tetkueda.ini
D:\Windows\system32\wfdkbcum.dll
D:\Windows\system32\xaniocod.dll
D:\Windows\system32\xeukftkg.dll
D:\Windows\system32\xoyjuunf.dll
D:\Windows\System32\ybadd.ini
D:\Windows\System32\ybadd.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.
2008-01-10 18:35 . 2008-01-10 18:35 3,584 --a

---

D:\Windows\System32\ddaby.exe
2008-01-10 18:35 . 2008-01-10 18:35 319 --ahs---- D:\Windows\System32\ybadd.ini2
2008-01-10 18:35 . 2008-01-10 18:35 319 --ahs---- D:\Windows\System32\ybadd.ini
2008-01-10 18:35 . 2008-01-10 18:35 9 --a

---

D:\Windows\System32\3cc87bc4
2008-01-10 18:14 . 2000-08-31 08:00 51,200 --a

---

D:\Windows\NirCmd.exe
2008-01-10 03:09 . 2008-01-10 03:09 802,816 --a

---

D:\Windows\System32\drivers\tcpip.sys
2008-01-10 03:09 . 2008-01-10 03:09 216,760 --a

---

D:\Windows\System32\drivers\netio.sys
2008-01-10 03:09 . 2008-01-10 03:09 167,424 --a

---

D:\Windows\System32\tcpipcfg.dll
2008-01-10 03:09 . 2008-01-10 03:09 24,064 --a

---

D:\Windows\System32\netcfg.exe
2008-01-10 03:09 . 2008-01-10 03:09 22,016 --a

---

D:\Windows\System32\netiougc.exe
2008-01-10 03:07 . 2008-01-10 03:07 11,776 --a

---

D:\Windows\System32\sbunattend.exe
2008-01-09 19:46 . 2008-01-10 13:35 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Orbit
2008-01-09 19:46 . 2008-01-09 19:46 <DIR> d

---

D:\Program Files\Orbitdownloader
2008-01-09 19:46 . 2008-01-10 13:31 <DIR> d

---

D:\Downloads
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\Users\All Users\Spybot - Search & Destroy
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\ProgramData\Spybot - Search & Destroy
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Users\All Users\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\ProgramData\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d

---

D:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 10:59 . 2008-01-05 10:59 <DIR> d

---

D:\Program Files\Trend Micro
2008-01-04 18:10 . 2008-01-04 18:18 91,492 --a

---

D:\Windows\System32\drivers\klin.dat
2008-01-04 18:10 . 2008-01-04 18:18 85,860 --a

---

D:\Windows\System32\drivers\klick.dat
2008-01-04 18:05 . 2008-01-10 18:35 <DIR> d

---

D:\Users\All Users\Kaspersky Lab
2008-01-04 18:05 . 2008-01-10 18:35 <DIR> d

---

D:\ProgramData\Kaspersky Lab
2008-01-04 18:05 . 2008-01-04 18:05 <DIR> d

---

D:\Program Files\Kaspersky Lab
2008-01-04 18:04 . 2008-01-10 18:35 4,668,192 --ahs---- D:\Windows\System32\drivers\fidbox.dat
2008-01-04 18:04 . 2008-01-10 18:32 64,568 --ahs---- D:\Windows\System32\drivers\fidbox.idx
2008-01-04 18:02 . 2008-01-04 18:02 <DIR> d

---

D:\KAV
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG2
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG1
2008-01-04 02:29 . 2008-01-04 02:29 0 --a

---

D:\ntuser.dat
2008-01-04 00:33 . 2008-01-04 00:33 <DIR> d

---

D:\VundoFix Backups
2008-01-04 00:17 . 2008-01-04 00:17 109,248 --a

---

D:\Windows\System32\MSWINSCK.OCX
2008-01-01 13:18 . 2008-01-01 13:23 12,413,440 --a

---

D:\Users\Paul\avgas-setup-7.5.1.43.exe
2008-01-01 13:15 . 2008-01-01 13:14 8,004,432 --a

---

D:\Users\Paul\Regdrill.exe
2008-01-01 13:15 . 2008-01-01 13:15 1,408,025 --a

---

D:\Users\Paul\registry-clean-pro.exe
2007-12-31 20:23 . 2007-12-31 20:23 135,360 --a

---

D:\Users\Paul\FixBlast.exe
2007-12-26 16:55 . 2007-12-26 16:58 33,413,672 --a

---

D:\Users\Paul\169.25_forceware_winvista_32bit_english_whql.exe
2007-12-26 16:54 . 2007-12-26 16:54 <DIR> d

---

D:\Program Files\SystemRequirementsLab
2007-12-26 16:53 . 2007-12-26 16:54 <DIR> d

---

D:\Users\Paul\AppData\Roaming\SystemRequirementsLab
2007-12-26 14:27 . 2007-12-26 14:27 <DIR> d

---

D:\Program Files\Belarc
2007-12-26 14:27 . 2005-04-07 17:18 3,840 --a

---

D:\Windows\System32\drivers\BANTExt.sys
2007-12-26 02:25 . 2008-01-10 03:29 171,895,433 --a

---

D:\Windows\MEMORY.DMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\Users\All Users\TEMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\ProgramData\TEMP
2007-12-23 20:33 . 2007-12-24 02:07 <DIR> d

---

D:\Program Files\Blaze Media Pro
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\Users\All Users\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\ProgramData\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 02:39 . 2007-12-23 02:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\Users\All Users\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\ProgramData\Symantec
2007-12-23 02:14 . 2008-01-04 17:57 <DIR> d

---

D:\Program Files\Common Files\Symantec Shared
2007-12-23 01:39 . 2007-12-23 01:39 162,521 --a

---

D:\Windows\Audio Converter Pro Uninstaller.exe
2007-12-23 01:16 . 2008-01-01 21:55 <DIR> d

---

D:\Users\Paul\AppData\Roaming\uTorrent
2007-12-23 01:16 . 2007-12-23 01:16 <DIR> d

---

D:\Program Files\uTorrent
2007-12-23 00:46 . 2004-01-21 21:15 240,128 --a

---

D:\Windows\system\lame_enc.dll
2007-12-22 22:26 . 2007-12-22 22:26 <DIR> d

---

D:\Program Files\Combined Community Codec Pack
2007-12-22 22:26 . 2007-12-22 22:26 6,211,190 --a

---

D:\Users\Paul\Combined-Community-Codec-Pack-2007-07-22.exe
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\All Users\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\ProgramData\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\River Past
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\Common Files\River Past
2007-12-22 22:22 . 2007-12-22 22:22 163,609 --a

---

D:\Windows\Audio Converter Uninstaller.exe
2007-12-22 22:04 . 2007-12-22 22:04 <DIR> d

---

D:\libmp3lame-3.97
2007-12-22 21:56 . 2007-12-22 22:44 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Audacity
2007-12-22 21:56 . 2007-12-22 21:56 <DIR> d

---

D:\Program Files\Audacity 1.3 Beta (Unicode)
2007-12-22 21:42 . 2007-12-22 21:48 <DIR> d

---

D:\Users\Paul\AppData\Roaming\FLV Extract
2007-12-22 21:00 . 2007-12-22 21:00 <DIR> d

---

D:\Users\Paul\AppData\Roaming\vlc
2007-12-22 20:57 . 2007-12-22 20:57 <DIR> d

---

D:\Program Files\VideoLAN
2007-12-22 20:52 . 2007-12-22 20:52 <DIR> d

---

D:\Program Files\WinPcap
2007-12-22 20:52 . 2007-12-22 20:52 46 --a

---

D:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\Users\All Users\DonationCoder
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\ProgramData\DonationCoder
2007-12-22 20:50 . 2007-12-22 21:32 <DIR> d

---

D:\Program Files\URLSnooper2
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\Users\All Users\WorldWinner.com
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\ProgramData\WorldWinner.com
2007-12-18 20:36 . 2007-12-18 20:36 <DIR> d

---

D:\Program Files\SopCast
2007-12-18 10:48 . 2007-12-18 10:48 159,458 --a

---

D:\Windows\System32\nvapps.xml
2007-12-16 21:11 . 2007-12-16 21:11 <DIR> d

---

D:\Program Files\Google
2007-12-15 23:27 . 2007-12-15 23:37 681 --a

---

D:\Windows\mozver.dat
2007-12-14 18:52 . 2007-12-14 18:52 <DIR> d

---

D:\Windows\Sun
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\Users\All Users\NVIDIA
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\ProgramData\NVIDIA
2007-12-13 19:36 . 2007-12-11 17:06 753,664 --a

---

D:\Windows\System32\nvcplui.exe
2007-12-13 19:36 . 2007-12-11 17:06 413,696 --a

---

D:\Windows\System32\nvcpl.cpl
2007-12-13 19:36 . 2007-12-11 17:06 307,200 --a

---

D:\Windows\System32\nvexpbar.dll
2007-12-13 19:34 . 2007-12-13 19:34 <DIR> d

---

D:\NVIDIA
2007-12-13 19:34 . 2007-12-11 18:52 356,352 --a

---

D:\Windows\System32\NVUNINST.EXE
2007-12-13 19:33 . 2007-12-13 19:33 31,956,512 --a

---

D:\Users\Paul\163.75_forceware_winvista_32bit_english_whql.exe
2007-12-13 13:29 . 2007-12-13 13:29 <DIR> d----c--- D:\Windows\System32\DRVSTORE
2007-12-13 13:22 . 2007-03-25 19:17 <DIR> d

---

D:\WVC
2007-12-13 13:22 . 2007-03-02 07:19 240,128 --a

---

D:\Windows\System32\drivers\royal.sys
2007-12-13 13:22 . 2007-02-04 14:13 2,731 --a

---

D:\ASUS.xrm-ms
2007-12-13 10:33 . 2007-12-13 10:35 <DIR> d

---

D:\Users\All Users\Adobe
2007-12-13 10:32 . 2007-12-13 10:33 <DIR> d

---

D:\Program Files\Common Files\Adobe
2007-12-12 17:09 . 2007-12-12 17:09 <DIR> d

---

D:\Program Files\TheWeatherNetwork
2007-12-12 05:54 . 2007-12-12 05:54 205,824 --a

---

D:\Windows\System32\msoeacct.dll
2007-12-12 05:54 . 2007-12-12 05:54 87,040 --a

---

D:\Windows\System32\msoert2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 08:15

---

d

---

w D:\Program Files\Windows Sidebar
2007-12-13 18:25

---

d

---

w D:\Program Files\Windows Mail
2007-12-12 00:44 56,320 ----a-w D:\Windows\System32\iesetup.dll
2007-12-12 00:44 52,736 ----a-w D:\Windows\AppPatch\iebrshim.dll
2007-12-12 00:44 26,624 ----a-w D:\Windows\System32\ieUnatt.exe
2007-12-11 22:06 86,016 ----a-w D:\Windows\System32\nvsvc.dll
2007-12-11 22:06 81,920 ----a-w D:\Windows\System32\nvmctray.dll
2007-12-11 22:06 8,530,464 ----a-w D:\Windows\System32\nvcpl.dll
2007-12-11 22:06 8,238,688 ----a-w D:\Windows\system32\drivers\nvlddmkm.sys
2007-12-11 22:06 795,104 ----a-w D:\Windows\System32\dpinst.exe
2007-12-11 22:06 7,098,368 ----a-w D:\Windows\System32\nvoglv32.dll
2007-12-11 22:06 6,549,504 ----a-w D:\Windows\System32\nvdisps.dll
2007-12-11 22:06 5,263,360 ----a-w D:\Windows\System32\nvd3dum.dll
2007-12-11 22:06 45,056 ----a-w D:\Windows\System32\nvmccsrs.dll
2007-12-11 22:06 385,024 ----a-w D:\Windows\System32\nvapi.dll
2007-12-11 22:06 356,352 ----a-w D:\Windows\System32\nvudisp.exe
2007-12-11 22:06 35,328 ----a-w D:\Windows\System32\nvcod100.dll
2007-12-11 22:06 35,328 ----a-w D:\Windows\System32\nvcod.dll
2007-12-11 22:06 3,710,976 ----a-w D:\Windows\System32\nvvitvs.dll
2007-12-11 22:06 3,420,160 ----a-w D:\Windows\System32\nvgames.dll
2007-12-11 22:06 229,376 ----a-w D:\Windows\System32\nvmccs.dll
2007-12-11 22:06 2,498,560 ----a-w D:\Windows\System32\nvwss.dll
2007-12-11 22:06 188,416 ----a-w D:\Windows\System32\nvmccss.dll
2007-12-11 22:06 147,456 ----a-w D:\Windows\System32\nvcolor.exe
2007-12-11 22:06 1,830,912 ----a-w D:\Windows\System32\nvwgf2um.dll
2007-12-11 22:06 1,228,800 ----a-w D:\Windows\System32\nvmobls.dll
2007-10-18 16:31 51,224 ----a-w D:\Windows\System32\sirenacm.dll
2006-11-02 12:49 174 --sha-w D:\Program Files\desktop.ini
.

<pre>
----a-w            39,792 2007-12-25 05:03:11  D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            51,048 2007-12-25 05:03:13  D:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           132,496 2007-12-25 05:04:10  D:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         4,484,816 2007-12-25 05:04:07  D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye .exe
----a-w           495,616 2007-12-25 05:03:19  D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL .exe
----a-w            36,352 2007-12-25 05:03:11  D:\Program Files\Winamp\winampa .exe
----a-w         5,724,184 2008-01-10 23:35:36  D:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         6,094,848 2008-01-10 23:16:34  D:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         6,094,848 2008-01-10 08:34:21  D:\Program Files\Windows Live\Messenger\msnmsgr  .exe
----a-w         5,724,184 2008-01-10 15:44:04  D:\Program Files\Windows Live\Messenger\msnmsgr .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7632571C-53EB-4A86-8A71-2B94B3586C59}]
D:\Windows\system32\mljgf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE24E471-EC45-4E5B-8629-0250F9A6DAD9}]
D:\Windows\system32\mljgf.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="D:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:07 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 07:32 2159104 D:\Windows\System32\oobefldr.dll]
"ehTray.exe"="D:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"WeatherEye"="D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [ ]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\msnmsgr .exe" [2008-01-10 18:35 5724184]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 07:32 1004136]
"EnvyHFCPL"="D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [ ]
"NvSvc"="D:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="D:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="D:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
"MSServer"="D:\Windows\system32\awvtu.dll" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 D:\\Windows\\system32\\ddaby
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;D:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot []
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;D:\Windows\system32\drivers\Envy24HF.sys [2007-03-15 08:56]
S0 OemBiosDevice;Royalty OEM BIOS Extension;D:\Windows\system32\DRIVERS\royal.sys [2007-03-02 07:19]
S3 NPF;NetGroup Packet Filter Driver;D:\Windows\system32\drivers\npf.sys [2007-06-21 15:55]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{889b9a67-a85e-11dc-8f73-806e6f6e6963}]
\shell\AutoRun\command - E:\KAV7EN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{50C413FA-25F9-4C54-EB6C-03AE71A313CE}]
D:\Windows\system32:svchost.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 18:35:52
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-10 18:40:02
ComboFix-quarantined-files.txt 2008-01-10 23:39:58
.
2008-01-10 08:09:56 --- E O F ---

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:30 PM, on 10/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Windows\system32\conime.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Windows\ehome\ehmsas.exe
D:\Windows\System32\rundll32.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\Explorer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7632571C-53EB-4A86-8A71-2B94B3586C59} - D:\Windows\system32\mljgf.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {EE24E471-EC45-4E5B-8629-0250F9A6DAD9} - D:\Windows\system32\mljgf.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [EnvyHFCPL] D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe D:\Windows\system32\awvtu.dll,#1
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 6210 bytes

Trogan

Hi captaincrash,

Please do the following...

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {7632571C-53EB-4A86-8A71-2B94B3586C59} - D:\Windows\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {EE24E471-EC45-4E5B-8629-0250F9A6DAD9} - D:\Windows\system32\mljgf.dll (file missing)

O4 - HKLM\..\Run: [MSServer] rundll32.exe D:\Windows\system32\awvtu.dll,#1

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. Open Notepad and copy/paste the text in the Quote Box below into it:

File::
D:\Windows\System32\ddaby.exe
D:\Windows\System32\ybadd.ini2
D:\Windows\System32\ybadd.ini
D:\Windows\system32\awvtu.dll

Folder::
D:\Windows\System32\3cc87bc4

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

RENV::
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
D:\Program Files\Common Files\Symantec Shared\ccApp .exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye .exe
D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL .exe
D:\Program Files\Winamp\winampa .exe
D:\Program Files\Windows Live\Messenger\msnmsgr .exe

Save this as CFScript.txt to your Desktop

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

3. Please post the following...

ComboFix log
New HijackThis log

captaincrash

Thanks again Trogan, computer seems to be getting much better now...

Combo Log

ComboFix 08-01-10.2 - Paul 2008-01-11 10:18:11.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1187 [GMT -5:00]
Running from: D:\Users\Paul\Desktop\ComboFix.exe
Command switches used :: D:\Users\Paul\Desktop\CFscript.txt
* Created a new restore point
FILE
D:\Windows\system32\awvtu.dll
D:\Windows\System32\ddaby.exe
D:\Windows\System32\ybadd.ini
D:\Windows\System32\ybadd.ini2
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Windows\System32\3cc87bc4\
D:\Windows\system32\ddaby.dll
D:\Windows\system32\ddaby.exe
D:\Windows\system32\fjdfofan.dll
D:\Windows\System32\jqmhycyo.ini
D:\Windows\system32\nafdkvcn.exe
D:\Windows\system32\oycyhmqj.dll
D:\Windows\System32\ybadd.ini
D:\Windows\System32\ybadd.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.
2008-01-10 18:35 . 2008-01-10 18:35 9 --a

---

D:\Windows\System32\3cc87bc4
2008-01-10 18:14 . 2000-08-31 08:00 51,200 --a

---

D:\Windows\NirCmd.exe
2008-01-10 03:09 . 2008-01-10 03:09 802,816 --a

---

D:\Windows\System32\drivers\tcpip.sys
2008-01-10 03:09 . 2008-01-10 03:09 216,760 --a

---

D:\Windows\System32\drivers\netio.sys
2008-01-10 03:09 . 2008-01-10 03:09 167,424 --a

---

D:\Windows\System32\tcpipcfg.dll
2008-01-10 03:09 . 2008-01-10 03:09 24,064 --a

---

D:\Windows\System32\netcfg.exe
2008-01-10 03:09 . 2008-01-10 03:09 22,016 --a

---

D:\Windows\System32\netiougc.exe
2008-01-10 03:07 . 2008-01-10 03:07 11,776 --a

---

D:\Windows\System32\sbunattend.exe
2008-01-09 19:46 . 2008-01-10 13:35 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Orbit
2008-01-09 19:46 . 2008-01-11 10:12 <DIR> d

---

D:\Program Files\Orbitdownloader
2008-01-09 19:46 . 2008-01-10 13:31 <DIR> d

---

D:\Downloads
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\Users\All Users\Spybot - Search & Destroy
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\ProgramData\Spybot - Search & Destroy
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Users\All Users\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\ProgramData\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d

---

D:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 10:59 . 2008-01-05 10:59 <DIR> d

---

D:\Program Files\Trend Micro
2008-01-04 18:10 . 2008-01-04 18:18 91,492 --a

---

D:\Windows\System32\drivers\klin.dat
2008-01-04 18:10 . 2008-01-04 18:18 85,860 --a

---

D:\Windows\System32\drivers\klick.dat
2008-01-04 18:05 . 2008-01-11 10:28 <DIR> d

---

D:\Users\All Users\Kaspersky Lab
2008-01-04 18:05 . 2008-01-11 10:28 <DIR> d

---

D:\ProgramData\Kaspersky Lab
2008-01-04 18:05 . 2008-01-04 18:05 <DIR> d

---

D:\Program Files\Kaspersky Lab
2008-01-04 18:04 . 2008-01-11 10:28 4,815,136 --ahs---- D:\Windows\System32\drivers\fidbox.dat
2008-01-04 18:04 . 2008-01-11 10:26 66,608 --ahs---- D:\Windows\System32\drivers\fidbox.idx
2008-01-04 18:02 . 2008-01-04 18:02 <DIR> d

---

D:\KAV
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG2
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG1
2008-01-04 02:29 . 2008-01-04 02:29 0 --a

---

D:\ntuser.dat
2008-01-04 00:33 . 2008-01-04 00:33 <DIR> d

---

D:\VundoFix Backups
2008-01-04 00:17 . 2008-01-04 00:17 109,248 --a

---

D:\Windows\System32\MSWINSCK.OCX
2008-01-01 13:18 . 2008-01-01 13:23 12,413,440 --a

---

D:\Users\Paul\avgas-setup-7.5.1.43.exe
2008-01-01 13:15 . 2008-01-01 13:14 8,004,432 --a

---

D:\Users\Paul\Regdrill.exe
2008-01-01 13:15 . 2008-01-01 13:15 1,408,025 --a

---

D:\Users\Paul\registry-clean-pro.exe
2007-12-31 20:23 . 2007-12-31 20:23 135,360 --a

---

D:\Users\Paul\FixBlast.exe
2007-12-26 16:55 . 2007-12-26 16:58 33,413,672 --a

---

D:\Users\Paul\169.25_forceware_winvista_32bit_english_whql.exe
2007-12-26 16:54 . 2007-12-26 16:54 <DIR> d

---

D:\Program Files\SystemRequirementsLab
2007-12-26 16:53 . 2007-12-26 16:54 <DIR> d

---

D:\Users\Paul\AppData\Roaming\SystemRequirementsLab
2007-12-26 14:27 . 2007-12-26 14:27 <DIR> d

---

D:\Program Files\Belarc
2007-12-26 14:27 . 2005-04-07 17:18 3,840 --a

---

D:\Windows\System32\drivers\BANTExt.sys
2007-12-26 02:25 . 2008-01-10 03:29 171,895,433 --a

---

D:\Windows\MEMORY.DMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\Users\All Users\TEMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\ProgramData\TEMP
2007-12-23 20:33 . 2007-12-24 02:07 <DIR> d

---

D:\Program Files\Blaze Media Pro
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\Users\All Users\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\ProgramData\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 02:39 . 2007-12-23 02:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\Users\All Users\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\ProgramData\Symantec
2007-12-23 02:14 . 2008-01-11 10:18 <DIR> d

---

D:\Program Files\Common Files\Symantec Shared
2007-12-23 01:39 . 2007-12-23 01:39 162,521 --a

---

D:\Windows\Audio Converter Pro Uninstaller.exe
2007-12-23 01:16 . 2008-01-01 21:55 <DIR> d

---

D:\Users\Paul\AppData\Roaming\uTorrent
2007-12-23 01:16 . 2007-12-23 01:16 <DIR> d

---

D:\Program Files\uTorrent
2007-12-23 00:46 . 2004-01-21 21:15 240,128 --a

---

D:\Windows\system\lame_enc.dll
2007-12-22 22:26 . 2007-12-22 22:26 <DIR> d

---

D:\Program Files\Combined Community Codec Pack
2007-12-22 22:26 . 2007-12-22 22:26 6,211,190 --a

---

D:\Users\Paul\Combined-Community-Codec-Pack-2007-07-22.exe
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\All Users\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\ProgramData\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\River Past
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\Common Files\River Past
2007-12-22 22:22 . 2007-12-22 22:22 163,609 --a

---

D:\Windows\Audio Converter Uninstaller.exe
2007-12-22 22:04 . 2007-12-22 22:04 <DIR> d

---

D:\libmp3lame-3.97
2007-12-22 21:56 . 2007-12-22 22:44 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Audacity
2007-12-22 21:56 . 2007-12-22 21:56 <DIR> d

---

D:\Program Files\Audacity 1.3 Beta (Unicode)
2007-12-22 21:42 . 2007-12-22 21:48 <DIR> d

---

D:\Users\Paul\AppData\Roaming\FLV Extract
2007-12-22 21:00 . 2007-12-22 21:00 <DIR> d

---

D:\Users\Paul\AppData\Roaming\vlc
2007-12-22 20:57 . 2007-12-22 20:57 <DIR> d

---

D:\Program Files\VideoLAN
2007-12-22 20:52 . 2007-12-22 20:52 <DIR> d

---

D:\Program Files\WinPcap
2007-12-22 20:52 . 2007-12-22 20:52 46 --a

---

D:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\Users\All Users\DonationCoder
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\ProgramData\DonationCoder
2007-12-22 20:50 . 2007-12-22 21:32 <DIR> d

---

D:\Program Files\URLSnooper2
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\Users\All Users\WorldWinner.com
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\ProgramData\WorldWinner.com
2007-12-18 20:36 . 2007-12-18 20:36 <DIR> d

---

D:\Program Files\SopCast
2007-12-18 10:48 . 2007-12-18 10:48 159,458 --a

---

D:\Windows\System32\nvapps.xml
2007-12-16 21:11 . 2007-12-16 21:11 <DIR> d

---

D:\Program Files\Google
2007-12-15 23:27 . 2007-12-15 23:37 681 --a

---

D:\Windows\mozver.dat
2007-12-14 18:52 . 2007-12-14 18:52 <DIR> d

---

D:\Windows\Sun
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\Users\All Users\NVIDIA
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\ProgramData\NVIDIA
2007-12-13 19:36 . 2007-12-11 17:06 753,664 --a

---

D:\Windows\System32\nvcplui.exe
2007-12-13 19:36 . 2007-12-11 17:06 413,696 --a

---

D:\Windows\System32\nvcpl.cpl
2007-12-13 19:36 . 2007-12-11 17:06 307,200 --a

---

D:\Windows\System32\nvexpbar.dll
2007-12-13 19:34 . 2007-12-13 19:34 <DIR> d

---

D:\NVIDIA
2007-12-13 19:34 . 2007-12-11 18:52 356,352 --a

---

D:\Windows\System32\NVUNINST.EXE
2007-12-13 19:33 . 2007-12-13 19:33 31,956,512 --a

---

D:\Users\Paul\163.75_forceware_winvista_32bit_english_whql.exe
2007-12-13 13:29 . 2007-12-13 13:29 <DIR> d----c--- D:\Windows\System32\DRVSTORE
2007-12-13 13:22 . 2007-03-25 19:17 <DIR> d

---

D:\WVC
2007-12-13 13:22 . 2007-03-02 07:19 240,128 --a

---

D:\Windows\System32\drivers\royal.sys
2007-12-13 13:22 . 2007-02-04 14:13 2,731 --a

---

D:\ASUS.xrm-ms
2007-12-13 10:33 . 2007-12-13 10:35 <DIR> d

---

D:\Users\All Users\Adobe
2007-12-13 10:32 . 2007-12-13 10:33 <DIR> d

---

D:\Program Files\Common Files\Adobe
2007-12-12 17:09 . 2007-12-12 17:09 <DIR> d

---

D:\Program Files\TheWeatherNetwork
2007-12-12 05:54 . 2007-12-12 05:54 205,824 --a

---

D:\Windows\System32\msoeacct.dll
2007-12-12 05:54 . 2007-12-12 05:54 87,040 --a

---

D:\Windows\System32\msoert2.dll
2007-12-12 05:54 . 2007-12-12 05:54 39,424 --a

---

D:\Windows\System32\ACCTRES.dll
2007-12-12 05:53 . 2007-12-12 05:53 376,320 --a

---

D:\Windows\System32\winsrv.dll
2007-12-12 05:53 . 2007-12-12 05:53 374,456 --a

---

D:\Windows\System32\mcupdate_GenuineIntel.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 08:15

---

d

---

w D:\Program Files\Windows Sidebar
2007-12-13 18:25

---

d

---

w D:\Program Files\Windows Mail
2007-12-12 00:44 56,320 ----a-w D:\Windows\System32\iesetup.dll
2007-12-12 00:44 52,736 ----a-w D:\Windows\AppPatch\iebrshim.dll
2007-12-12 00:44 26,624 ----a-w D:\Windows\System32\ieUnatt.exe
2007-12-11 22:06 86,016 ----a-w D:\Windows\System32\nvsvc.dll
2007-12-11 22:06 81,920 ----a-w D:\Windows\System32\nvmctray.dll
2007-12-11 22:06 8,530,464 ----a-w D:\Windows\System32\nvcpl.dll
2007-12-11 22:06 8,238,688 ----a-w D:\Windows\system32\drivers\nvlddmkm.sys
2007-12-11 22:06 795,104 ----a-w D:\Windows\System32\dpinst.exe
2007-12-11 22:06 7,098,368 ----a-w D:\Windows\System32\nvoglv32.dll
2007-12-11 22:06 6,549,504 ----a-w D:\Windows\System32\nvdisps.dll
2007-12-11 22:06 5,263,360 ----a-w D:\Windows\System32\nvd3dum.dll
2007-12-11 22:06 45,056 ----a-w D:\Windows\System32\nvmccsrs.dll
2007-12-11 22:06 385,024 ----a-w D:\Windows\System32\nvapi.dll
2007-12-11 22:06 356,352 ----a-w D:\Windows\System32\nvudisp.exe
2007-12-11 22:06 35,328 ----a-w D:\Windows\System32\nvcod100.dll
2007-12-11 22:06 35,328 ----a-w D:\Windows\System32\nvcod.dll
2007-12-11 22:06 3,710,976 ----a-w D:\Windows\System32\nvvitvs.dll
2007-12-11 22:06 3,420,160 ----a-w D:\Windows\System32\nvgames.dll
2007-12-11 22:06 229,376 ----a-w D:\Windows\System32\nvmccs.dll
2007-12-11 22:06 2,498,560 ----a-w D:\Windows\System32\nvwss.dll
2007-12-11 22:06 188,416 ----a-w D:\Windows\System32\nvmccss.dll
2007-12-11 22:06 147,456 ----a-w D:\Windows\System32\nvcolor.exe
2007-12-11 22:06 1,830,912 ----a-w D:\Windows\System32\nvwgf2um.dll
2007-12-11 22:06 1,228,800 ----a-w D:\Windows\System32\nvmobls.dll
2007-10-18 16:31 51,224 ----a-w D:\Windows\System32\sirenacm.dll
2006-11-02 12:49 174 --sha-w D:\Program Files\desktop.ini
.

<pre>
----a-w         4,484,816 2008-01-11 15:28:33  D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye .exe
----a-w           495,616 2008-01-11 15:28:33  D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL .exe
----a-w         6,094,848 2008-01-10 23:47:57  D:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         6,094,848 2008-01-11 01:29:16  D:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         6,094,848 2008-01-11 01:29:12  D:\Program Files\Windows Live\Messenger\msnmsgr  .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-10_18.39.17.88 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 23:33:59 67,584 --s-a-w D:\Windows\bootstat.dat
+ 2008-01-11 15:27:18 67,584 --s-a-w D:\Windows\bootstat.dat
- 2008-01-10 23:15:09 151,552 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-11 15:17:04 151,552 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 23:15:10 147,456 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
+ 2008-01-11 15:17:04 147,456 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
- 2008-01-10 23:15:10 1,761,280 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-11 15:17:04 1,761,280 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-10 23:15:10 1,130,496 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-11 15:17:04 1,130,496 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2000-08-31 13:00:00 163,328 ----a-w D:\Windows\erdnt\subs\ERDNT.EXE
- 2008-01-10 23:13:20 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-11 14:49:26 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-10 23:34:22 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-11 15:27:40 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-11 15:27:40 262,144 ---ha-w D:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-01-10 23:13:22 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-11 15:10:24 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-10 23:34:22 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-11 15:27:40 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-11 15:27:40 262,144 ---ha-w D:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-01-10 23:08:35 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-11 15:16:39 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-10 23:08:35 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-11 15:16:39 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-10 23:08:35 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-11 15:16:39 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-10 23:16:08 262,144 ----a-w D:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-11 15:17:48 262,144 ----a-w D:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-01-10 23:10:22 5,624 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
+ 2008-01-10 23:36:37 5,782 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
- 2008-01-10 23:10:21 48,478 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-10 23:36:36 48,674 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-10 23:10:19 29,686 ----a-w D:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-10 23:36:33 30,136 ----a-w D:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="D:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:07 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 07:32 2159104 D:\Windows\System32\oobefldr.dll]
"ehTray.exe"="D:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"WeatherEye"="D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-01-11 10:18 5245952]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\msnmsgr .exe" [ ]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 07:32 1004136]
"EnvyHFCPL"="D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2008-01-11 10:18 839680]
"NvSvc"="D:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="D:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="D:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 D:\\Windows\\system32\\ddaby
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;D:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot []
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;D:\Windows\system32\drivers\Envy24HF.sys [2007-03-15 08:56]
S0 OemBiosDevice;Royalty OEM BIOS Extension;D:\Windows\system32\DRIVERS\royal.sys [2007-03-02 07:19]
S3 NPF;NetGroup Packet Filter Driver;D:\Windows\system32\drivers\npf.sys [2007-06-21 15:55]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{889b9a67-a85e-11dc-8f73-806e6f6e6963}]
\shell\AutoRun\command - E:\KAV7EN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{50C413FA-25F9-4C54-EB6C-03AE71A313CE}]
D:\Windows\system32:svchost.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 10:28:32
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-11 10:33:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 15:33:46
ComboFix2.txt 2008-01-10 23:40:03
.
2008-01-11 06:01:17 --- E O F ---


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:07 AM, on 11/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Windows\system32\taskeng.exe
D:\Windows\system32\conime.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Windows\ehome\ehmsas.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL .exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [EnvyHFCPL] D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5958 bytes

Trogan

Hi,

You have a fairly new infection of the Vundo infection. Just checking it has been fully removed.

I will reply as soon as possible.

captaincrash

Just to add on to this.. the ddaby message is coming back up at startup however the desktop loading issues are gone.

Trogan

Could you post a new HijackThis log please.

captaincrash

Trogan,

My computer has become quite unstable in the past day or so. I started losing my desktop as my taskbar would disappear and i would have to run explorer.exe to get it going again. NOW I have another problem where I have a fake Windows Update icon, Help and support icon that cannot be removed from the desktop and an error in the taks bar saying "A Critical error could occur"

Funny thing is I have not added a file or run anything different, i really have no idea where this could have come from.

Here is a new log... thanks again for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:56 AM, on 13/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Windows\system32\rundll32.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Windows\system32\rundll32.exe
D:\Windows\system32\rundll32.exe
D:\Windows\system32\rundll32.exe
D:\Windows\Explorer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=D:\Windows\system32\ddaby.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BFBE5AF-D397-4A22-AEAF-B378D984CFF5} - D:\Windows\system32\ddaby.dll
O2 - BHO: {d21a2560-914c-bd9b-9174-81855171fd34} - {43df1715-5818-4719-b9db-c4190652a12d} - D:\Windows\system32\gnlofowo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7533E4A7-EEE0-4DB9-95E2-9AF7F5AD9365} - D:\Windows\system32\ddaby.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\Windows\system32\qakcyvdl.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [3cc8694a] rundll32.exe "D:\Windows\system32\etawjfys.dll",b
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: qakcyvdl - D:\Windows\SYSTEM32\qakcyvdl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: DomainService - - D:\Windows\system32\cuojbmkr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 6674 bytes

Trogan

Hi captaincrash,

Can I ask that you try and keep the computer off the Internet until we can neutralise the infection. Also, try and avoid rebooting unless instructed too.


Please run a new scan with ComboFix and post the resulting log.

captaincrash

ComboFix 08-01-10.2 - Paul 2008-01-13 10:17:40.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1250 [GMT -5:00]
Running from: D:\Users\Paul\Desktop\ComboFix.exe
.
Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Windows\system32\cuojbmkr.exe
D:\Windows\system32\ddaby.dll
D:\Windows\system32\ddaby.exe
D:\Windows\system32\etawjfys.dll
D:\Windows\system32\gnlofowo.dll
D:\Windows\system32\pfykrglp.dll
D:\Windows\system32\qakcyvdl.dll
D:\Windows\system32\qakcyvdl.dllbox
D:\Windows\System32\syfjwate.ini
D:\Windows\System32\ybadd.ini
D:\Windows\System32\ybadd.ini2
.
---- Previous Run

---

.
D:\Windows\system32\cuojbmkr.exe
D:\Windows\system32\ddaby.exe
D:\Windows\system32\etawjfys.dll
D:\Windows\system32\gnlofowo.dll
D:\Windows\system32\pfykrglp.dll
D:\Windows\system32\qakcyvdl.dllbox
D:\Windows\System32\syfjwate.ini
D:\Windows\System32\ybadd.ini
D:\Windows\System32\ybadd.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.
2008-01-12 14:39 . 2008-01-12 14:39 384,000 --a

---

D:\Windows\System32\netcfgx(508).dll
2008-01-12 14:37 . 2008-01-12 14:37 24,064 --a

---

D:\Windows\System32\wtsapi32(565).dll
2008-01-12 14:33 . 2008-01-12 14:33 10,617,344 --a

---

D:\Windows\System32\wmp(562).dll
2008-01-12 14:33 . 2008-01-12 14:33 8,147,968 --a

---

D:\Windows\System32\wmploc(563).DLL
2008-01-12 14:26 . 2008-01-12 14:26 223,232 --a

---

D:\Windows\System32\SLC(530).dll
2008-01-12 14:22 . 2008-01-12 14:22 11,315,200 --a

---

D:\Windows\System32\shell32(529).dll
2008-01-12 14:22 . 2008-01-12 14:22 1,984,512 --a

---

D:\Windows\System32\authui(426).dll
2008-01-12 14:22 . 2008-01-12 14:22 712,192 --a

---

D:\Windows\System32\WindowsCodecs(555).dll
2008-01-12 14:22 . 2008-01-12 14:22 269,824 --a

---

D:\Windows\System32\schannel(527).dll
2008-01-12 14:22 . 2008-01-12 14:22 204,800 --a

---

D:\Windows\System32\dhcpcsvc(439).dll
2008-01-12 14:22 . 2008-01-12 14:22 123,904 --a

---

D:\Windows\System32\msvfw32(504).dll
2008-01-12 14:22 . 2008-01-12 14:22 120,320 --a

---

D:\Windows\System32\dhcpcsvc6(440).dll
2008-01-12 14:20 . 2008-01-12 14:20 974,336 --a

---

D:\Windows\System32\crypt32(435).dll
2008-01-10 18:35 . 2008-01-10 18:35 9 --a

---

D:\Windows\System32\3cc87bc4
2008-01-10 18:14 . 2000-08-31 08:00 51,200 --a

---

D:\Windows\NirCmd.exe
2008-01-10 03:09 . 2008-01-10 03:09 802,816 --a

---

D:\Windows\System32\drivers\tcpip.sys
2008-01-10 03:09 . 2008-01-10 03:09 216,760 --a

---

D:\Windows\System32\drivers\netio.sys
2008-01-10 03:09 . 2008-01-10 03:09 167,424 --a

---

D:\Windows\System32\tcpipcfg.dll
2008-01-10 03:09 . 2008-01-10 03:09 24,064 --a

---

D:\Windows\System32\netcfg.exe
2008-01-10 03:09 . 2008-01-10 03:09 22,016 --a

---

D:\Windows\System32\netiougc.exe
2008-01-10 03:07 . 2008-01-10 03:07 11,776 --a

---

D:\Windows\System32\sbunattend.exe
2008-01-09 19:46 . 2008-01-10 13:35 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Orbit
2008-01-09 19:46 . 2008-01-13 03:04 <DIR> d

---

D:\Program Files\Orbitdownloader
2008-01-09 19:46 . 2008-01-10 13:31 <DIR> d

---

D:\Downloads
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\Users\All Users\Spybot - Search & Destroy
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\ProgramData\Spybot - Search & Destroy
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Users\All Users\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\ProgramData\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d

---

D:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 10:59 . 2008-01-05 10:59 <DIR> d

---

D:\Program Files\Trend Micro
2008-01-04 18:10 . 2008-01-04 18:18 91,492 --a

---

D:\Windows\System32\drivers\klin.dat
2008-01-04 18:10 . 2008-01-04 18:18 85,860 --a

---

D:\Windows\System32\drivers\klick.dat
2008-01-04 18:05 . 2008-01-13 03:10 <DIR> d

---

D:\Users\All Users\Kaspersky Lab
2008-01-04 18:05 . 2008-01-13 03:10 <DIR> d

---

D:\ProgramData\Kaspersky Lab
2008-01-04 18:05 . 2008-01-04 18:05 <DIR> d

---

D:\Program Files\Kaspersky Lab
2008-01-04 18:04 . 2008-01-13 10:28 5,804,320 --a

---

D:\Windows\System32\drivers\fidbox.dat
2008-01-04 18:04 . 2008-01-12 14:20 5,180,704 --ahs---- D:\Windows\System32\drivers\fidbox(783).dat
2008-01-04 18:04 . 2008-01-13 10:25 79,856 --ahs---- D:\Windows\System32\drivers\fidbox.idx
2008-01-04 18:04 . 2008-01-12 11:57 69,824 --ahs---- D:\Windows\System32\drivers\fidbox(784).idx
2008-01-04 18:02 . 2008-01-04 18:02 <DIR> d

---

D:\KAV
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG2
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG1
2008-01-04 02:29 . 2008-01-04 02:29 0 --a

---

D:\ntuser.dat
2008-01-04 00:33 . 2008-01-04 00:33 <DIR> d

---

D:\VundoFix Backups
2008-01-04 00:17 . 2008-01-04 00:17 109,248 --a

---

D:\Windows\System32\MSWINSCK.OCX
2008-01-01 13:18 . 2008-01-01 13:23 12,413,440 --a

---

D:\Users\Paul\avgas-setup-7.5.1.43.exe
2008-01-01 13:15 . 2008-01-01 13:14 8,004,432 --a

---

D:\Users\Paul\Regdrill.exe
2008-01-01 13:15 . 2008-01-01 13:15 1,408,025 --a

---

D:\Users\Paul\registry-clean-pro.exe
2007-12-31 20:23 . 2007-12-31 20:23 135,360 --a

---

D:\Users\Paul\FixBlast.exe
2007-12-26 16:55 . 2007-12-26 16:58 33,413,672 --a

---

D:\Users\Paul\169.25_forceware_winvista_32bit_english_whql.exe
2007-12-26 16:54 . 2007-12-26 16:54 <DIR> d

---

D:\Program Files\SystemRequirementsLab
2007-12-26 16:53 . 2007-12-26 16:54 <DIR> d

---

D:\Users\Paul\AppData\Roaming\SystemRequirementsLab
2007-12-26 14:27 . 2007-12-26 14:27 <DIR> d

---

D:\Program Files\Belarc
2007-12-26 14:27 . 2005-04-07 17:18 3,840 --a

---

D:\Windows\System32\drivers\BANTExt.sys
2007-12-26 02:25 . 2008-01-10 03:29 171,895,433 --a

---

D:\Windows\MEMORY.DMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\Users\All Users\TEMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\ProgramData\TEMP
2007-12-23 20:33 . 2007-12-24 02:07 <DIR> d

---

D:\Program Files\Blaze Media Pro
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\Users\All Users\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\ProgramData\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 02:39 . 2007-12-23 02:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\Users\All Users\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\ProgramData\Symantec
2007-12-23 02:14 . 2008-01-11 10:18 <DIR> d

---

D:\Program Files\Common Files\Symantec Shared
2007-12-23 01:39 . 2007-12-23 01:39 162,521 --a

---

D:\Windows\Audio Converter Pro Uninstaller.exe
2007-12-23 01:16 . 2008-01-01 21:55 <DIR> d

---

D:\Users\Paul\AppData\Roaming\uTorrent
2007-12-23 01:16 . 2007-12-23 01:16 <DIR> d

---

D:\Program Files\uTorrent
2007-12-23 00:46 . 2004-01-21 21:15 240,128 --a

---

D:\Windows\system\lame_enc.dll
2007-12-22 22:26 . 2007-12-22 22:26 <DIR> d

---

D:\Program Files\Combined Community Codec Pack
2007-12-22 22:26 . 2007-12-22 22:26 6,211,190 --a

---

D:\Users\Paul\Combined-Community-Codec-Pack-2007-07-22.exe
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\All Users\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\ProgramData\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\River Past
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\Common Files\River Past
2007-12-22 22:22 . 2007-12-22 22:22 163,609 --a

---

D:\Windows\Audio Converter Uninstaller.exe
2007-12-22 22:04 . 2007-12-22 22:04 <DIR> d

---

D:\libmp3lame-3.97
2007-12-22 21:56 . 2007-12-22 22:44 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Audacity
2007-12-22 21:56 . 2007-12-22 21:56 <DIR> d

---

D:\Program Files\Audacity 1.3 Beta (Unicode)
2007-12-22 21:42 . 2007-12-22 21:48 <DIR> d

---

D:\Users\Paul\AppData\Roaming\FLV Extract
2007-12-22 21:00 . 2007-12-22 21:00 <DIR> d

---

D:\Users\Paul\AppData\Roaming\vlc
2007-12-22 20:57 . 2007-12-22 20:57 <DIR> d

---

D:\Program Files\VideoLAN
2007-12-22 20:52 . 2007-12-22 20:52 <DIR> d

---

D:\Program Files\WinPcap
2007-12-22 20:52 . 2007-12-22 20:52 46 --a

---

D:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\Users\All Users\DonationCoder
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\ProgramData\DonationCoder
2007-12-22 20:50 . 2007-12-22 21:32 <DIR> d

---

D:\Program Files\URLSnooper2
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\Users\All Users\WorldWinner.com
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\ProgramData\WorldWinner.com
2007-12-18 20:36 . 2007-12-18 20:36 <DIR> d

---

D:\Program Files\SopCast
2007-12-18 10:48 . 2007-12-18 10:48 159,458 --a

---

D:\Windows\System32\nvapps.xml
2007-12-16 21:11 . 2007-12-16 21:11 <DIR> d

---

D:\Program Files\Google
2007-12-15 23:27 . 2007-12-15 23:37 681 --a

---

D:\Windows\mozver.dat
2007-12-14 18:52 . 2007-12-14 18:52 <DIR> d

---

D:\Windows\Sun
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\Users\All Users\NVIDIA
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\ProgramData\NVIDIA
2007-12-13 19:36 . 2007-12-11 17:06 753,664 --a

---

D:\Windows\System32\nvcplui.exe
2007-12-13 19:36 . 2007-12-11 17:06 413,696 --a

---

D:\Windows\System32\nvcpl.cpl
2007-12-13 19:36 . 2007-12-11 17:06 307,200 --a

---

D:\Windows\System32\nvexpbar.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 08:05

---

d

---

w D:\Program Files\Windows Mail
2008-01-12 16:55

---

d

---

w D:\ProgramData\Microsoft Help
2008-01-11 15:18

---

d

---

w D:\Program Files\Winamp
2008-01-10 08:15

---

d

---

w D:\Program Files\Windows Sidebar
2008-01-05 05:52

---

d

---

w D:\ProgramData\WLInstaller
2007-12-14 00:34

---

d

---

w D:\Program Files\Common Files\InstallShield
2007-12-12 22:09

---

d

---

w D:\Program Files\TheWeatherNetwork
2007-12-12 10:52 63,488 ----a-w D:\Windows\system32\drivers\mpsdrv.sys
2007-12-12 10:52 23,040 ----a-w D:\Windows\system32\drivers\tunnel.sys
2007-12-12 10:52 15,360 ----a-w D:\Windows\system32\drivers\TUNMP.SYS
2007-12-12 02:23

---

d

---

w D:\Program Files\Microsoft Works
2007-12-12 02:21

---

d

---

w D:\Program Files\Microsoft.NET
2007-12-12 02:00

---

dcsh--w D:\Program Files\Common Files\WindowsLiveInstaller
2007-12-12 02:00

---

d

---

w D:\Program Files\Windows Live
2007-12-12 01:52 2,400,784 ----a-w D:\Users\Paul\WLinstaller.exe
2007-12-12 01:51

---

d

---

w D:\Users\Paul\AppData\Roaming\Winamp
2007-12-12 01:37

---

d

---

w D:\Program Files\VIA
2007-12-12 01:24

---

d

---

w D:\Program Files\InstallShield Installation Information
2007-12-12 00:44 52,736 ----a-w D:\Windows\AppPatch\iebrshim.dll
2007-12-12 00:43 84,992 ----a-w D:\Windows\system32\drivers\srvnet.sys
2007-12-12 00:43 58,368 ----a-w D:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 00:43 130,048 ----a-w D:\Windows\system32\drivers\srv2.sys
2007-12-12 00:43 101,888 ----a-w D:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 00:42 12,800 ----a-w D:\Windows\system32\drivers\fs_rec.sys
2007-12-12 00:40

---

d

---

w D:\Program Files\Java
2007-12-12 00:38

---

d

---

w D:\Program Files\Common Files\Java
2007-12-11 22:06 8,238,688 ----a-w D:\Windows\system32\drivers\nvlddmkm.sys
2006-11-02 12:49 174 --sha-w D:\Program Files\desktop.ini
.

<pre>
----a-w         4,484,816 2008-01-12 17:00:12  D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye .exe
----a-w           495,616 2008-01-12 17:00:02  D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL .exe
----a-w         6,094,848 2008-01-10 23:47:57  D:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         6,094,848 2008-01-13 08:21:28  D:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         6,094,848 2008-01-13 08:21:24  D:\Program Files\Windows Live\Messenger\msnmsgr  .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-01-11_10.33.05.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-12 02:22:16 248,632 ----a-w D:\Windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2008-01-12 16:52:56 251,272 ----a-w D:\Windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
- 2007-12-12 02:22:16 781,104 ----a-w D:\Windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2008-01-12 16:52:29 783,744 ----a-w D:\Windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
- 2008-01-11 15:27:18 67,584 --s-a-w D:\Windows\bootstat.dat
+ 2008-01-13 15:27:12 67,584 --s-a-w D:\Windows\bootstat.dat
+ 2006-10-27 20:00:12 1,751,904 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACECORE.DLL
+ 2006-10-27 20:00:10 576,376 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEDAO.DLL
+ 2006-10-27 20:00:06 47,976 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEERR.DLL
+ 2006-10-27 20:00:08 191,360 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEES.DLL
+ 2006-10-27 01:13:34 338,800 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEEXCH.DLL
+ 2006-10-27 01:13:44 629,616 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEEXCL.DLL
+ 2006-10-27 01:13:28 207,736 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACELTS.DLL
+ 2006-10-27 01:13:32 279,352 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODBC.DLL
+ 2006-10-27 01:13:08 15,160 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODDBS.DLL
+ 2006-10-27 01:13:08 15,160 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODEXL.DLL
+ 2006-10-27 01:13:08 15,160 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODPDX.DLL
+ 2006-10-27 01:13:12 15,160 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEODTXT.DLL
+ 2006-10-27 20:00:06 387,960 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEOLEDB.DLL
+ 2006-10-27 01:13:38 392,048 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEPDE.DLL
+ 2006-10-27 01:13:30 260,976 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACER2X.DLL
+ 2006-10-27 01:13:32 289,648 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACER3X.DLL
+ 2006-10-27 01:13:20 56,120 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACERCLR.DLL
+ 2006-10-27 01:13:38 551,800 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEREP.DLL
+ 2006-10-27 01:13:30 224,104 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACETXT.DLL
+ 2006-10-27 01:13:34 371,568 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACEXBE.DLL
+ 2006-10-27 20:41:04 399,640 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CDLMSO.DLL
+ 2006-10-27 00:59:24 205,616 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CLVIEW.EXE
+ 2006-10-27 02:30:42 65,312 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\COLLIMP.DLL
+ 2006-10-27 20:16:36 133,936 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CONTAB32.DLL
+ 2006-10-27 01:12:52 189,760 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CONTACTPICKER.DLL
+ 2006-10-27 01:55:32 87,344 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DLGSETP.DLL
+ 2006-10-27 00:48:14 434,528 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DWTRIG20.EXE
+ 2006-10-27 20:07:36 17,891,112 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\EXCEL.EXE
+ 2006-10-26 19:10:08 1,190,688 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\FM20.DLL
+ 2006-10-27 00:21:24 1,682,232 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\FPSRVUTL.DLL
+ 2006-10-27 20:09:36 983,376 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\FPWEC.DLL
+ 2006-10-27 01:02:12 2,526,520 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GRAPH.EXE
+ 2006-10-27 01:12:52 173,328 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\IEAWSDC.DLL
+ 2006-10-27 20:10:10 5,281,592 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\IPEDITOR.DLL
+ 2006-10-27 00:55:10 828,704 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MEDCAT.DLL
+ 2006-10-27 01:55:48 340,248 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MIMEDIR.DLL
+ 2006-10-26 18:58:14 117,552 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSCONV97.DLL
+ 2006-10-27 20:26:40 16,870,712 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSO.DLL
+ 2006-10-27 19:59:06 161,080 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSOCF.DLL
+ 2006-10-27 00:48:12 14,664 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSOCFU.DLL
+ 2006-10-27 01:12:58 428,816 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSODCW.DLL
+ 2006-10-27 02:13:36 26,936 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSOEURO.DLL
+ 2006-10-27 01:00:08 6,635,320 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSORES.DLL
+ 2006-10-26 18:56:36 436,520 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSORUN.DLL
+ 2006-10-27 00:50:04 672,024 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSQRY32.EXE
+ 2006-10-26 18:56:40 505,136 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSSOAP30.DLL
+ 2006-10-27 00:55:12 832,800 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSTORDB.EXE
+ 2006-10-27 00:55:06 538,904 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSTORES.DLL
+ 2006-10-27 01:12:30 65,824 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\NAME.DLL
+ 2006-10-27 20:14:34 14,151,456 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OART.DLL
+ 2006-10-27 01:42:36 8,423,224 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OARTCONV.DLL
+ 2006-10-27 01:06:54 232,816 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ODEPLOY.EXE
+ 2006-10-27 01:14:06 7,033,152 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OFFOWC.DLL
+ 2006-10-27 20:18:36 1,658,152 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OGL.DLL
+ 2006-10-27 01:00:08 274,744 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OIS.EXE
+ 2006-10-27 01:00:12 998,208 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OISAPP.DLL
+ 2006-10-27 01:00:10 285,008 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OISGRAPH.DLL
+ 2006-10-27 20:16:46 2,939,704 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OLMAPI32.DLL
+ 2006-10-27 01:34:12 660,792 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OMSMAIN.DLL
+ 2006-10-27 01:34:10 192,848 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OMSXP32.DLL
+ 2006-10-27 01:07:04 6,536,992 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OSETUP.DLL
+ 2006-07-26 23:53:56 459,080 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL
+ 2006-10-27 20:16:44 594,256 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLMIME.DLL
+ 2006-10-27 20:16:48 12,813,096 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLOOK.EXE
+ 2006-10-27 20:16:40 176,976 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLPH.DLL
+ 2006-10-27 02:30:44 482,088 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PORTCONN.DLL
+ 2006-10-27 20:04:06 465,200 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\POWERPNT.EXE
+ 2006-10-27 20:04:06 7,980,848 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PPCORE.DLL
+ 2007-12-12 02:22:16 248,632 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PPTPIA.DLL
+ 2006-10-27 00:52:10 2,012,480 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PPTVIEW.EXE
+ 2006-10-27 01:55:54 413,472 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PSTPRX32.DLL
+ 2006-10-27 02:13:38 38,168 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\REFEDIT.DLL
+ 2006-10-27 01:55:44 263,520 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCNPST32.DLL
+ 2006-10-27 01:55:44 272,744 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCNPST64.DLL
+ 2006-10-27 01:13:00 503,624 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SELFCERT.EXE
+ 2006-10-27 01:06:58 439,600 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SETUP.EXE
+ 2006-07-28 20:21:58 277,320 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SSGEN.DLL
+ 2006-10-27 19:57:08 2,330,968 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\STSLIST.DLL
+ 2006-09-30 05:42:56 2,583,344 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\VBE6.DLL
+ 2006-10-27 20:23:04 347,432 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WINWORD.EXE
+ 2007-12-12 02:22:16 781,104 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WORDPIA.DLL
+ 2006-10-27 20:11:38 4,235,560 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WRD12CNV.DLL
+ 2006-10-27 20:11:36 21,264 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WRD12EXE.EXE
+ 2006-10-27 20:23:08 17,483,560 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WWLIB.DLL
+ 2006-10-27 02:13:08 14,674,216 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XL12CNV.EXE
+ 2006-10-27 02:17:08 11,072 ----a-r D:\Windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XLCALL32.DLL
- 2008-01-06 04:31:15 29,926 ----a-r D:\Windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2008-01-13 08:15:34 29,926 ----a-r D:\Windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
- 2007-12-12 10:50:20 1,165,584 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-01-12 16:53:35 1,165,584 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2007-12-12 10:50:21 20,240 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-01-12 16:53:36 20,240 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-12-12 10:50:20 159,504 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-01-12 16:53:35 159,504 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2007-12-12 10:50:20 184,080 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-01-12 16:53:35 184,080 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2007-12-12 10:50:21 217,864 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-01-12 16:53:36 217,864 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2007-12-12 10:50:21 18,704 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-01-12 16:53:36 18,704 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-12-12 10:50:21 35,088 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-12 16:53:37 35,088 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-12-12 10:50:21 845,584 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-01-12 16:53:35 845,584 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2007-12-12 10:50:21 922,384 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-01-12 16:53:36 922,384 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-12-12 10:50:21 272,648 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-01-12 16:53:36 272,648 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2007-12-12 10:50:21 888,080 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-12 16:53:37 888,080 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-12-12 10:50:20 1,172,240 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-01-12 16:53:35 1,172,240 ----a-r D:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2007-12-12 02:13:53 217,864 ----a-r D:\Windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-01-12 16:55:52 217,864 ----a-r D:\Windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-01-11 14:49:26 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-13 14:33:54 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-01-11 15:27:40 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-13 15:27:46 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-13 15:27:46 262,144 ---ha-w D:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-01-11 15:10:24 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-13 14:41:54 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-01-11 15:27:40 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-13 15:27:46 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-13 15:27:46 262,144 ---ha-w D:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-01-11 15:16:39 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-13 14:33:54 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-11 15:16:39 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-13 14:33:54 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-11 15:16:39 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-13 14:33:54 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-11 15:17:48 262,144 ----a-w D:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-13 15:01:16 262,144 ----a-w D:\Windows\System32\config\systemprofile\ntuser.dat
- 2006-10-26 19:10:08 1,190,688 ----a-w D:\Windows\System32\FM20.DLL
+ 2007-08-23 06:03:38 1,195,888 ----a-w D:\Windows\System32\FM20.DLL
- 2008-01-10 08:31:29 6,029,312 ----a-w D:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-01-12 19:08:20 6,029,312 ----a-w D:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-01-12 19:37:58 356,352 ----a-w D:\Windows\System32\wbem\wbemcomn(552).dll
- 2008-01-10 23:36:37 5,782 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
+ 2008-01-13 08:10:16 6,402 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
- 2008-01-10 23:36:36 48,674 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-13 08:10:14 49,230 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-10 23:36:33 30,136 ----a-w D:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-12 19:53:06 30,312 ----a-w D:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-12 19:22:29 1,984,512 ----a-w D:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.0.6000.16513_none_0a056d7cf846bbd5\authui.dll
+ 2008-01-12 19:20:35 974,336 ----a-w D:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6000.16425_none_5978e103e0b8f230\crypt32.dll
+ 2008-01-12 19:22:30 204,800 ----a-w D:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6000.16512_none_d56b19bc316f9001\dhcpcsvc.dll
+ 2008-01-12 19:22:30 120,320 ----a-w D:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6000.16512_none_d56b19bc316f9001\dhcpcsvc6.dll
+ 2008-01-12 19:33:04 10,617,344 ----a-w D:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16557_none_095474fd52156893\wmp.dll
+ 2008-01-12 19:33:06 8,147,968 ----a-w D:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16557_none_095474fd52156893\wmploc.DLL
+ 2008-01-12 19:39:13 384,000 ----a-w D:\Windows\winsxs\x86_microsoft-windows-ndis-tdi-bindingengine_31bf3856ad364e35_6.0.6000.16517_none_3c2ad8f2286305c8\netcfgx.dll
+ 2008-01-12 19:26:38 223,232 ----a-w D:\Windows\winsxs\x86_microsoft-windows-s..icensing-slc-client_31bf3856ad364e35_6.0.6000.16509_none_c3421cfda8beb1db\SLC.dll
+ 2008-01-12 19:22:35 269,824 ----a-w D:\Windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.16508_none_20380cd258151361\schannel.dll
+ 2008-01-12 19:22:37 11,315,200 ----a-w D:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16513_none_6a3b1b4414dac79d\shell32.dll
+ 2008-01-12 19:37:57 24,064 ----a-w D:\Windows\winsxs\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_6.0.6000.16553_none_c5179c13c95485bd\wtsapi32.dll
+ 2008-01-12 19:22:26 123,904 ----a-w D:\Windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6000.16513_none_9043e1118ba0edc7\msvfw32.dll
+ 2008-01-12 19:22:27 712,192 ----a-w D:\Windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6000.16493_none_943d269aa43dda3a\WindowsCodecs.dll
+ 2008-01-12 19:37:58 356,352 ----a-w D:\Windows\winsxs\x86_microsoft-windows-wmi-core-wbemcomn-dll_31bf3856ad364e35_6.0.6000.16553_none_0161deb32631b63d\wbemcomn.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7533E4A7-EEE0-4DB9-95E2-9AF7F5AD9365}]
D:\Windows\system32\ddaby.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="D:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:07 1232896]
"ehTray.exe"="D:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"WeatherEye"="D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-01-13 10:31 338944]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 07:32 1004136]
"NvSvc"="D:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="D:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="D:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
"combofix"="D:\Windows\system32\cmd.exe" [2006-11-02 04:44 320000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qakcyvdl]
qakcyvdl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 D:\Windows\system32\ddaby
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;D:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot []
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;D:\Windows\system32\drivers\Envy24HF.sys [2007-03-15 08:56]
S0 OemBiosDevice;Royalty OEM BIOS Extension;D:\Windows\system32\DRIVERS\royal.sys [2007-03-02 07:19]
S3 NPF;NetGroup Packet Filter Driver;D:\Windows\system32\drivers\npf.sys [2007-06-21 15:55]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{889b9a67-a85e-11dc-8f73-806e6f6e6963}]
\shell\AutoRun\command - E:\KAV7EN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{50C413FA-25F9-4C54-EB6C-03AE71A313CE}]
D:\Windows\system32:svchost.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 10:28:08
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-13 10:34:37 - machine was rebooted [Paul]
ComboFix-quarantined-files.txt 2008-01-13 15:34:26
ComboFix2.txt 2008-01-11 15:33:51
ComboFix3.txt 2008-01-10 23:40:03
.
2008-01-12 16:56:04 --- E O F ---

Trogan

Can you post a new HijackThis log too.

captaincrash

Computer running much better after combofix and disconnection from the internet.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:36 PM, on 13/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Windows\system32\taskeng.exe
D:\Windows\system32\conime.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [combofix] D:\Windows\system32\cmd.exe /c D:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5690 bytes

Trogan

Just getting something checked. Will post as soon as possible.

Trogan

Hi captaincrash,

Before we begin, we will need to disable Windows Defender as it may interfere with the fix:

• Open Windows Defender.
• Click on Tools > General Settings.
• Scroll Down and Uncheck Turn on real-time Protection (recommended).
• After you uncheck these, click on the Save button and close Windows Defender.
• Right click on the Windows Defender icon on the taskbar and select Shutdown Windows Defender.

Please do the following...

1. Open Notepad and copy/paste the text in the Quote Box below into it:

File::
D:\Windows\system32\ddaby.dll

Folder::
D:\Windows\System32\3cc87bc4

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7533E4A7-EEE0-4DB9-95E2-9AF7F5AD9365}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

RENV::
----a-w 4,484,816 2008-01-12 17:00:12 D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye .exe
----a-w 495,616 2008-01-12 17:00:02 D:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL .exe
----a-w 6,094,848 2008-01-10 23:47:57 D:\Program Files\Windows Live\Messenger\msnmsgr .exe

Note: Control has been bolded due to the forum software creating an extra unneeded space in the name.

Save this as CFScript.txt to your Desktop

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2. Please post the ComboFix log, along with a new HijackThis log.

captaincrash

ComboFix 08-01-10.2 - Paul 2008-01-13 13:57:44.5 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1331 [GMT -5:00]
Running from: D:\Users\Paul\Desktop\ComboFix.exe
Command switches used :: D:\Users\Paul\Desktop\CFscript.txt
* Created a new restore point
FILE
D:\Windows\system32\ddaby.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Windows\System32\3cc87bc4\
.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.
2008-01-12 14:39 . 2008-01-12 14:39 384,000 --a

---

D:\Windows\System32\netcfgx(508).dll
2008-01-12 14:37 . 2008-01-12 14:37 24,064 --a

---

D:\Windows\System32\wtsapi32(565).dll
2008-01-12 14:33 . 2008-01-12 14:33 10,617,344 --a

---

D:\Windows\System32\wmp(562).dll
2008-01-12 14:33 . 2008-01-12 14:33 8,147,968 --a

---

D:\Windows\System32\wmploc(563).DLL
2008-01-12 14:26 . 2008-01-12 14:26 223,232 --a

---

D:\Windows\System32\SLC(530).dll
2008-01-12 14:22 . 2008-01-12 14:22 11,315,200 --a

---

D:\Windows\System32\shell32(529).dll
2008-01-12 14:22 . 2008-01-12 14:22 1,984,512 --a

---

D:\Windows\System32\authui(426).dll
2008-01-12 14:22 . 2008-01-12 14:22 712,192 --a

---

D:\Windows\System32\WindowsCodecs(555).dll
2008-01-12 14:22 . 2008-01-12 14:22 269,824 --a

---

D:\Windows\System32\schannel(527).dll
2008-01-12 14:22 . 2008-01-12 14:22 204,800 --a

---

D:\Windows\System32\dhcpcsvc(439).dll
2008-01-12 14:22 . 2008-01-12 14:22 123,904 --a

---

D:\Windows\System32\msvfw32(504).dll
2008-01-12 14:22 . 2008-01-12 14:22 120,320 --a

---

D:\Windows\System32\dhcpcsvc6(440).dll
2008-01-12 14:20 . 2008-01-12 14:20 974,336 --a

---

D:\Windows\System32\crypt32(435).dll
2008-01-10 18:35 . 2008-01-10 18:35 9 --a

---

D:\Windows\System32\3cc87bc4
2008-01-10 18:14 . 2000-08-31 08:00 51,200 --a

---

D:\Windows\NirCmd.exe
2008-01-10 03:09 . 2008-01-10 03:09 802,816 --a

---

D:\Windows\System32\drivers\tcpip.sys
2008-01-10 03:09 . 2008-01-10 03:09 216,760 --a

---

D:\Windows\System32\drivers\netio.sys
2008-01-10 03:09 . 2008-01-10 03:09 167,424 --a

---

D:\Windows\System32\tcpipcfg.dll
2008-01-10 03:09 . 2008-01-10 03:09 24,064 --a

---

D:\Windows\System32\netcfg.exe
2008-01-10 03:09 . 2008-01-10 03:09 22,016 --a

---

D:\Windows\System32\netiougc.exe
2008-01-10 03:07 . 2008-01-10 03:07 11,776 --a

---

D:\Windows\System32\sbunattend.exe
2008-01-09 19:46 . 2008-01-13 10:59 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Orbit
2008-01-09 19:46 . 2008-01-13 03:04 <DIR> d

---

D:\Program Files\Orbitdownloader
2008-01-09 19:46 . 2008-01-10 13:31 <DIR> d

---

D:\Downloads
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\Users\All Users\Spybot - Search & Destroy
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\ProgramData\Spybot - Search & Destroy
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Users\All Users\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\ProgramData\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d

---

D:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 10:59 . 2008-01-05 10:59 <DIR> d

---

D:\Program Files\Trend Micro
2008-01-04 18:10 . 2008-01-04 18:18 91,492 --a

---

D:\Windows\System32\drivers\klin.dat
2008-01-04 18:10 . 2008-01-04 18:18 85,860 --a

---

D:\Windows\System32\drivers\klick.dat
2008-01-04 18:05 . 2008-01-13 10:29 <DIR> d

---

D:\Users\All Users\Kaspersky Lab
2008-01-04 18:05 . 2008-01-13 10:29 <DIR> d

---

D:\ProgramData\Kaspersky Lab
2008-01-04 18:05 . 2008-01-04 18:05 <DIR> d

---

D:\Program Files\Kaspersky Lab
2008-01-04 18:04 . 2008-01-13 14:07 5,832,992 --a

---

D:\Windows\System32\drivers\fidbox.dat
2008-01-04 18:04 . 2008-01-12 14:20 5,180,704 --ahs---- D:\Windows\System32\drivers\fidbox(783).dat
2008-01-04 18:04 . 2008-01-13 14:02 80,240 --ahs---- D:\Windows\System32\drivers\fidbox.idx
2008-01-04 18:04 . 2008-01-12 11:57 69,824 --ahs---- D:\Windows\System32\drivers\fidbox(784).idx
2008-01-04 18:02 . 2008-01-04 18:02 <DIR> d

---

D:\KAV
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG2
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG1
2008-01-04 02:29 . 2008-01-04 02:29 0 --a

---

D:\ntuser.dat
2008-01-04 00:33 . 2008-01-04 00:33 <DIR> d

---

D:\VundoFix Backups
2008-01-04 00:17 . 2008-01-04 00:17 109,248 --a

---

D:\Windows\System32\MSWINSCK.OCX
2008-01-01 13:18 . 2008-01-01 13:23 12,413,440 --a

---

D:\Users\Paul\avgas-setup-7.5.1.43.exe
2008-01-01 13:15 . 2008-01-01 13:14 8,004,432 --a

---

D:\Users\Paul\Regdrill.exe
2008-01-01 13:15 . 2008-01-01 13:15 1,408,025 --a

---

D:\Users\Paul\registry-clean-pro.exe
2007-12-31 20:23 . 2007-12-31 20:23 135,360 --a

---

D:\Users\Paul\FixBlast.exe
2007-12-26 16:55 . 2007-12-26 16:58 33,413,672 --a

---

D:\Users\Paul\169.25_forceware_winvista_32bit_english_whql.exe
2007-12-26 16:54 . 2007-12-26 16:54 <DIR> d

---

D:\Program Files\SystemRequirementsLab
2007-12-26 16:53 . 2007-12-26 16:54 <DIR> d

---

D:\Users\Paul\AppData\Roaming\SystemRequirementsLab
2007-12-26 14:27 . 2007-12-26 14:27 <DIR> d

---

D:\Program Files\Belarc
2007-12-26 14:27 . 2005-04-07 17:18 3,840 --a

---

D:\Windows\System32\drivers\BANTExt.sys
2007-12-26 02:25 . 2008-01-10 03:29 171,895,433 --a

---

D:\Windows\MEMORY.DMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\Users\All Users\TEMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\ProgramData\TEMP
2007-12-23 20:33 . 2007-12-24 02:07 <DIR> d

---

D:\Program Files\Blaze Media Pro
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\Users\All Users\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\ProgramData\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 02:39 . 2007-12-23 02:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\Users\All Users\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\ProgramData\Symantec
2007-12-23 02:14 . 2008-01-11 10:18 <DIR> d

---

D:\Program Files\Common Files\Symantec Shared
2007-12-23 01:39 . 2007-12-23 01:39 162,521 --a

---

D:\Windows\Audio Converter Pro Uninstaller.exe
2007-12-23 01:16 . 2008-01-01 21:55 <DIR> d

---

D:\Users\Paul\AppData\Roaming\uTorrent
2007-12-23 01:16 . 2007-12-23 01:16 <DIR> d

---

D:\Program Files\uTorrent
2007-12-23 00:46 . 2004-01-21 21:15 240,128 --a

---

D:\Windows\system\lame_enc.dll
2007-12-22 22:26 . 2007-12-22 22:26 <DIR> d

---

D:\Program Files\Combined Community Codec Pack
2007-12-22 22:26 . 2007-12-22 22:26 6,211,190 --a

---

D:\Users\Paul\Combined-Community-Codec-Pack-2007-07-22.exe
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\All Users\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\ProgramData\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\River Past
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\Common Files\River Past
2007-12-22 22:22 . 2007-12-22 22:22 163,609 --a

---

D:\Windows\Audio Converter Uninstaller.exe
2007-12-22 22:04 . 2007-12-22 22:04 <DIR> d

---

D:\libmp3lame-3.97
2007-12-22 21:56 . 2007-12-22 22:44 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Audacity
2007-12-22 21:56 . 2007-12-22 21:56 <DIR> d

---

D:\Program Files\Audacity 1.3 Beta (Unicode)
2007-12-22 21:42 . 2007-12-22 21:48 <DIR> d

---

D:\Users\Paul\AppData\Roaming\FLV Extract
2007-12-22 21:00 . 2007-12-22 21:00 <DIR> d

---

D:\Users\Paul\AppData\Roaming\vlc
2007-12-22 20:57 . 2007-12-22 20:57 <DIR> d

---

D:\Program Files\VideoLAN
2007-12-22 20:52 . 2007-12-22 20:52 <DIR> d

---

D:\Program Files\WinPcap
2007-12-22 20:52 . 2007-12-22 20:52 46 --a

---

D:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\Users\All Users\DonationCoder
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\ProgramData\DonationCoder
2007-12-22 20:50 . 2007-12-22 21:32 <DIR> d

---

D:\Program Files\URLSnooper2
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\Users\All Users\WorldWinner.com
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\ProgramData\WorldWinner.com
2007-12-18 20:36 . 2007-12-18 20:36 <DIR> d

---

D:\Program Files\SopCast
2007-12-18 10:48 . 2007-12-18 10:48 159,458 --a

---

D:\Windows\System32\nvapps.xml
2007-12-16 21:11 . 2007-12-16 21:11 <DIR> d

---

D:\Program Files\Google
2007-12-15 23:27 . 2007-12-15 23:37 681 --a

---

D:\Windows\mozver.dat
2007-12-14 18:52 . 2007-12-14 18:52 <DIR> d

---

D:\Windows\Sun
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\Users\All Users\NVIDIA
2007-12-13 19:40 . 2007-12-31 18:52 <DIR> d

---

D:\ProgramData\NVIDIA
2007-12-13 19:36 . 2007-12-11 17:06 753,664 --a

---

D:\Windows\System32\nvcplui.exe
2007-12-13 19:36 . 2007-12-11 17:06 413,696 --a

---

D:\Windows\System32\nvcpl.cpl
2007-12-13 19:36 . 2007-12-11 17:06 307,200 --a

---

D:\Windows\System32\nvexpbar.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 08:05

---

d

---

w D:\Program Files\Windows Mail
2008-01-12 16:55

---

d

---

w D:\ProgramData\Microsoft Help
2008-01-11 15:18

---

d

---

w D:\Program Files\Winamp
2008-01-10 08:15

---

d

---

w D:\Program Files\Windows Sidebar
2008-01-05 05:52

---

d

---

w D:\ProgramData\WLInstaller
2007-12-14 00:34

---

d

---

w D:\Program Files\Common Files\InstallShield
2007-12-12 22:09

---

d

---

w D:\Program Files\TheWeatherNetwork
2007-12-12 10:52 63,488 ----a-w D:\Windows\system32\drivers\mpsdrv.sys
2007-12-12 10:52 23,040 ----a-w D:\Windows\system32\drivers\tunnel.sys
2007-12-12 10:52 15,360 ----a-w D:\Windows\system32\drivers\TUNMP.SYS
2007-12-12 02:23

---

d

---

w D:\Program Files\Microsoft Works
2007-12-12 02:21

---

d

---

w D:\Program Files\Microsoft.NET
2007-12-12 02:00

---

dcsh--w D:\Program Files\Common Files\WindowsLiveInstaller
2007-12-12 02:00

---

d

---

w D:\Program Files\Windows Live
2007-12-12 01:52 2,400,784 ----a-w D:\Users\Paul\WLinstaller.exe
2007-12-12 01:51

---

d

---

w D:\Users\Paul\AppData\Roaming\Winamp
2007-12-12 01:37

---

d

---

w D:\Program Files\VIA
2007-12-12 01:24

---

d

---

w D:\Program Files\InstallShield Installation Information
2007-12-12 00:44 52,736 ----a-w D:\Windows\AppPatch\iebrshim.dll
2007-12-12 00:43 84,992 ----a-w D:\Windows\system32\drivers\srvnet.sys
2007-12-12 00:43 58,368 ----a-w D:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 00:43 130,048 ----a-w D:\Windows\system32\drivers\srv2.sys
2007-12-12 00:43 101,888 ----a-w D:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 00:42 12,800 ----a-w D:\Windows\system32\drivers\fs_rec.sys
2007-12-12 00:40

---

d

---

w D:\Program Files\Java
2007-12-12 00:38

---

d

---

w D:\Program Files\Common Files\Java
2007-12-11 22:06 8,238,688 ----a-w D:\Windows\system32\drivers\nvlddmkm.sys
2006-11-02 12:49 174 --sha-w D:\Program Files\desktop.ini
.

<pre>
----a-w         6,094,848 2008-01-13 15:53:08  D:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         6,094,848 2008-01-13 15:39:35  D:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         6,094,848 2008-01-13 08:21:24  D:\Program Files\Windows Live\Messenger\msnmsgr  .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-01-13_10.33.37.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 15:27:12 67,584 --s-a-w D:\Windows\bootstat.dat
+ 2008-01-13 19:06:19 67,584 --s-a-w D:\Windows\bootstat.dat
- 2008-01-11 15:17:04 151,552 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 18:57:20 151,552 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 15:17:04 147,456 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
+ 2008-01-13 18:57:20 147,456 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
- 2008-01-11 15:17:04 1,761,280 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 18:57:20 1,769,472 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 15:17:04 1,130,496 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 18:57:20 1,130,496 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2000-08-31 13:00:00 163,328 ----a-w D:\Windows\erdnt\subs\ERDNT.EXE
- 2008-01-13 14:33:54 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-01-13 18:52:57 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-01-13 15:27:46 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-13 19:06:54 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-13 19:06:54 262,144 ---ha-w D:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-01-13 14:41:54 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-01-13 17:18:36 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-01-13 15:27:46 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-13 19:06:54 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-13 19:06:54 262,144 ---ha-w D:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-01-13 08:10:16 6,402 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
+ 2008-01-13 15:29:56 6,458 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
- 2008-01-13 08:10:14 49,230 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-13 15:29:55 49,254 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="D:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:07 1232896]
"ehTray.exe"="D:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"WeatherEye"="D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-01-12 12:00 4484816]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 07:32 1004136]
"NvSvc"="D:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="D:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="D:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;D:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot []
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;D:\Windows\system32\drivers\Envy24HF.sys [2007-03-15 08:56]
S0 OemBiosDevice;Royalty OEM BIOS Extension;D:\Windows\system32\DRIVERS\royal.sys [2007-03-02 07:19]
S3 NPF;NetGroup Packet Filter Driver;D:\Windows\system32\drivers\npf.sys [2007-06-21 15:55]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{889b9a67-a85e-11dc-8f73-806e6f6e6963}]
\shell\AutoRun\command - E:\KAV7EN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{50C413FA-25F9-4C54-EB6C-03AE71A313CE}]
D:\Windows\system32:svchost.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 14:07:14
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-13 14:12:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 19:12:20
ComboFix2.txt 2008-01-13 15:34:39
ComboFix3.txt 2008-01-11 15:33:51
ComboFix4.txt 2008-01-10 23:40:03
.
2008-01-12 16:56:04 --- E O F ---




HTJ LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:03 PM, on 13/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Windows\system32\taskeng.exe
D:\Windows\system32\conime.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5643 bytes

Trogan

Hi captaincrash,

Looking much better...just a little left to do.

Please do the following...

1. Could you uninstall Windows Live Messenger and reinstall it please.

2. Delete the following Folder in RED, if found:

D:\Windows\System32\3cc87bc4

3. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)

• Scan Options:

Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:

Select

My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

• Now click on the Save as Text button:

[*]Save the file to your desktop.
4. Please post the Kaspersky scan report.

captaincrash

Its telling me that I have to use the Kaspersky thats on my system....

Should I?

Trogan

Yes, go on. Make sure it's updated first. If you know how, try and get a report, otherwise make a note of anything found.

captaincrash

im 5% into what looks like it will be a long scan... msnmsgr.exe has already come up 3 times with the same trogan.dropper.win32.agent.dgo that it has been coming up with in the past.

i have re-stalled msn and have updated Kaspersky before doing this.

captaincrash

KASPERSKY RESULTS (The msn file is the only one i didnt delete as it would have deleted the .exe file)

deleted: adware not-a-virus:AdWare.Win32.BHO.cn File:
C:\Documents and Settings\Paul\Local Settings\Temp\$updater\YDZZTV.exe//PE_Patch.UPX//#

deleted: adware not-a-virus:AdWare.Win32.BHO.cn File: C:\Documents and Settings\Paul\Local Settings\Temp\$updater\YSUG9G.exe//PE_Patch.UPX//#

deleted: Trojan program Trojan-Dropper.Win32.Agent.dmj File: C:\old\Dump Bin\fceu.zip/fceu.exe

deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: C:\old\Dump Bin\misc\marine2free.exe//WiseSFXDropper//WISE0050.BIN

deleted: adware not-a-virus:AdWare.Win32.BHO.cn File: C:\WINDOWS\system32\HPDirecter.dll

deleted: adware not-a-virus:AdWare.Win32.BHO.cn File: C:\WINDOWS\system32\HPI4.dll

deleted: Trojan program Trojan-Downloader.Win32.VB.btr File: C:\WINDOWS\system32\MSWINSCK.OCX

detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\Program Files\Windows Live\Messenger\msnmsgr .exe

detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\Program Files\Windows Live\Messenger\msnmsgr .exe

detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\Program Files\Windows Live\Messenger\msnmsgr .exe

deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\ProgramData\Lavasoft\Ad-Aware 2007\update\backup\AAWTray.exe.old

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.din File: D:\QooBox\Quarantine\D\Windows\System32\adeuktet.dll.vir

deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: D:\QooBox\Quarantine\D\Windows\System32\cebmphcv.exe.vir

deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: D:\QooBox\Quarantine\D\Windows\System32\cuojbmkr.exe.vir

deleted: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\QooBox\Quarantine\D\Windows\System32\ddaby.exe.vir

deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: D:\QooBox\Quarantine\D\Windows\System32\demrgsdo.exe.vir

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.din File: D:\QooBox\Quarantine\D\Windows\System32\etawjfys.dll.vir

deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: D:\QooBox\Quarantine\D\Windows\System32\hvermqwi.exe.vir

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.din File: D:\QooBox\Quarantine\D\Windows\System32\mpedtiwe.dll.vir

deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: D:\QooBox\Quarantine\D\Windows\System32\nafdkvcn.exe.vir

deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: D:\QooBox\Quarantine\D\Windows\System32\nwyoargf.exe.vir

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.din File: D:\QooBox\Quarantine\D\Windows\System32\oycyhmqj.dll.vir

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.din File: D:\QooBox\Quarantine\D\Windows\System32\rlpojfnc.dll.vir

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.din File: D:\QooBox\Quarantine\D\Windows\System32\xeukftkg.dll.vir

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.din File: D:\QooBox\Quarantine\D\Windows\System32\xoyjuunf.dll.vir

not found: Trojan program Trojan-Dropper.Win32.Agent.dgo File: D:\Users\All Users\Lavasoft\Ad-Aware 2007\update\backup\AAWTray.exe.old

Trogan

Hi,

Lets try this:

Open Notepad and copy/paste the text in the Quote Box below into it:

RENV::
----a-w 6,094,848 2008-01-13 15:53:08 D:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w 6,094,848 2008-01-13 15:39:35 D:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w 6,094,848 2008-01-13 08:21:24 D:\Program Files\Windows Live\Messenger\msnmsgr .exe

Save this as CFScript.txt to your Desktop

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Post the ComboFix log, along with a new HijackThis log.

captaincrash

ComboFix 08-01-10.2 - Paul 2008-01-14 10:30:27.6 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1095 [GMT -5:00]
Running from: D:\Users\Paul\Desktop\ComboFix.exe
Command switches used :: D:\Users\Paul\Desktop\CFscript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.
2008-01-12 14:39 . 2008-01-12 14:39 384,000 --a

---

D:\Windows\System32\netcfgx(508).dll
2008-01-12 14:37 . 2008-01-12 14:37 24,064 --a

---

D:\Windows\System32\wtsapi32(565).dll
2008-01-12 14:33 . 2008-01-12 14:33 10,617,344 --a

---

D:\Windows\System32\wmp(562).dll
2008-01-12 14:33 . 2008-01-12 14:33 8,147,968 --a

---

D:\Windows\System32\wmploc(563).DLL
2008-01-12 14:26 . 2008-01-12 14:26 223,232 --a

---

D:\Windows\System32\SLC(530).dll
2008-01-12 14:22 . 2008-01-12 14:22 11,315,200 --a

---

D:\Windows\System32\shell32(529).dll
2008-01-12 14:22 . 2008-01-12 14:22 1,984,512 --a

---

D:\Windows\System32\authui(426).dll
2008-01-12 14:22 . 2008-01-12 14:22 712,192 --a

---

D:\Windows\System32\WindowsCodecs(555).dll
2008-01-12 14:22 . 2008-01-12 14:22 269,824 --a

---

D:\Windows\System32\schannel(527).dll
2008-01-12 14:22 . 2008-01-12 14:22 204,800 --a

---

D:\Windows\System32\dhcpcsvc(439).dll
2008-01-12 14:22 . 2008-01-12 14:22 123,904 --a

---

D:\Windows\System32\msvfw32(504).dll
2008-01-12 14:22 . 2008-01-12 14:22 120,320 --a

---

D:\Windows\System32\dhcpcsvc6(440).dll
2008-01-12 14:20 . 2008-01-12 14:20 974,336 --a

---

D:\Windows\System32\crypt32(435).dll
2008-01-10 18:35 . 2008-01-10 18:35 9 --a

---

D:\Windows\System32\3cc87bc4
2008-01-10 18:14 . 2000-08-31 08:00 51,200 --a

---

D:\Windows\NirCmd.exe
2008-01-10 03:09 . 2008-01-10 03:09 802,816 --a

---

D:\Windows\System32\drivers\tcpip.sys
2008-01-10 03:09 . 2008-01-10 03:09 216,760 --a

---

D:\Windows\System32\drivers\netio.sys
2008-01-10 03:09 . 2008-01-10 03:09 167,424 --a

---

D:\Windows\System32\tcpipcfg.dll
2008-01-10 03:09 . 2008-01-10 03:09 24,064 --a

---

D:\Windows\System32\netcfg.exe
2008-01-10 03:09 . 2008-01-10 03:09 22,016 --a

---

D:\Windows\System32\netiougc.exe
2008-01-10 03:07 . 2008-01-10 03:07 11,776 --a

---

D:\Windows\System32\sbunattend.exe
2008-01-09 19:46 . 2008-01-13 10:59 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Orbit
2008-01-09 19:46 . 2008-01-13 03:04 <DIR> d

---

D:\Program Files\Orbitdownloader
2008-01-09 19:46 . 2008-01-10 13:31 <DIR> d

---

D:\Downloads
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\Users\All Users\Spybot - Search & Destroy
2008-01-06 00:32 . 2008-01-06 01:09 <DIR> d

---

D:\ProgramData\Spybot - Search & Destroy
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Users\All Users\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\ProgramData\Lavasoft
2008-01-05 23:56 . 2008-01-05 23:56 <DIR> d

---

D:\Program Files\Lavasoft
2008-01-05 23:54 . 2008-01-05 23:54 <DIR> d

---

D:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 10:59 . 2008-01-05 10:59 <DIR> d

---

D:\Program Files\Trend Micro
2008-01-04 18:10 . 2008-01-04 18:18 91,492 --a

---

D:\Windows\System32\drivers\klin.dat
2008-01-04 18:10 . 2008-01-04 18:18 85,860 --a

---

D:\Windows\System32\drivers\klick.dat
2008-01-04 18:05 . 2008-01-13 15:18 <DIR> d

---

D:\Users\All Users\Kaspersky Lab
2008-01-04 18:05 . 2008-01-13 15:18 <DIR> d

---

D:\ProgramData\Kaspersky Lab
2008-01-04 18:05 . 2008-01-04 18:05 <DIR> d

---

D:\Program Files\Kaspersky Lab
2008-01-04 18:04 . 2008-01-14 10:35 10,898,976 --a

---

D:\Windows\System32\drivers\fidbox.dat
2008-01-04 18:04 . 2008-01-12 14:20 5,180,704 --ahs---- D:\Windows\System32\drivers\fidbox(783).dat
2008-01-04 18:04 . 2008-01-13 14:02 80,240 --ahs---- D:\Windows\System32\drivers\fidbox.idx
2008-01-04 18:04 . 2008-01-12 11:57 69,824 --ahs---- D:\Windows\System32\drivers\fidbox(784).idx
2008-01-04 18:02 . 2008-01-13 15:17 <DIR> d

---

D:\KAV
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG2
2008-01-04 02:29 . 2008-01-04 02:29 0 --ah

---

D:\ntuser.dat.LOG1
2008-01-04 02:29 . 2008-01-04 02:29 0 --a

---

D:\ntuser.dat
2008-01-04 00:33 . 2008-01-04 00:33 <DIR> d

---

D:\VundoFix Backups
2008-01-04 00:17 . 2008-01-04 00:17 109,248 --a

---

D:\Windows\System32\MSWINSCK.OCX
2008-01-01 13:18 . 2008-01-01 13:23 12,413,440 --a

---

D:\Users\Paul\avgas-setup-7.5.1.43.exe
2008-01-01 13:15 . 2008-01-01 13:14 8,004,432 --a

---

D:\Users\Paul\Regdrill.exe
2008-01-01 13:15 . 2008-01-01 13:15 1,408,025 --a

---

D:\Users\Paul\registry-clean-pro.exe
2007-12-31 20:23 . 2007-12-31 20:23 135,360 --a

---

D:\Users\Paul\FixBlast.exe
2007-12-26 16:55 . 2007-12-26 16:58 33,413,672 --a

---

D:\Users\Paul\169.25_forceware_winvista_32bit_english_whql.exe
2007-12-26 16:54 . 2007-12-26 16:54 <DIR> d

---

D:\Program Files\SystemRequirementsLab
2007-12-26 16:53 . 2007-12-26 16:54 <DIR> d

---

D:\Users\Paul\AppData\Roaming\SystemRequirementsLab
2007-12-26 14:27 . 2007-12-26 14:27 <DIR> d

---

D:\Program Files\Belarc
2007-12-26 14:27 . 2005-04-07 17:18 3,840 --a

---

D:\Windows\System32\drivers\BANTExt.sys
2007-12-26 02:25 . 2008-01-10 03:29 171,895,433 --a

---

D:\Windows\MEMORY.DMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\Users\All Users\TEMP
2007-12-23 20:35 . 2007-12-24 02:07 <DIR> d-a

---

D:\ProgramData\TEMP
2007-12-23 20:33 . 2007-12-24 02:07 <DIR> d

---

D:\Program Files\Blaze Media Pro
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\Users\All Users\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 20:32 . 2007-12-23 20:34 <DIR> d

---

D:\ProgramData\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-12-23 02:39 . 2007-12-23 02:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\Users\All Users\Symantec
2007-12-23 02:14 . 2008-01-04 17:54 <DIR> d

---

D:\ProgramData\Symantec
2007-12-23 02:14 . 2008-01-11 10:18 <DIR> d

---

D:\Program Files\Common Files\Symantec Shared
2007-12-23 01:39 . 2007-12-23 01:39 162,521 --a

---

D:\Windows\Audio Converter Pro Uninstaller.exe
2007-12-23 01:16 . 2008-01-01 21:55 <DIR> d

---

D:\Users\Paul\AppData\Roaming\uTorrent
2007-12-23 01:16 . 2007-12-23 01:16 <DIR> d

---

D:\Program Files\uTorrent
2007-12-23 00:46 . 2004-01-21 21:15 240,128 --a

---

D:\Windows\system\lame_enc.dll
2007-12-22 22:26 . 2007-12-22 22:26 <DIR> d

---

D:\Program Files\Combined Community Codec Pack
2007-12-22 22:26 . 2007-12-22 22:26 6,211,190 --a

---

D:\Users\Paul\Combined-Community-Codec-Pack-2007-07-22.exe
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\Paul\AppData\Roaming\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Users\All Users\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\ProgramData\River Past G5
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\River Past
2007-12-22 22:22 . 2007-12-23 01:39 <DIR> d

---

D:\Program Files\Common Files\River Past
2007-12-22 22:22 . 2007-12-22 22:22 163,609 --a

---

D:\Windows\Audio Converter Uninstaller.exe
2007-12-22 22:04 . 2007-12-22 22:04 <DIR> d

---

D:\libmp3lame-3.97
2007-12-22 21:56 . 2007-12-22 22:44 <DIR> d

---

D:\Users\Paul\AppData\Roaming\Audacity
2007-12-22 21:56 . 2007-12-22 21:56 <DIR> d

---

D:\Program Files\Audacity 1.3 Beta (Unicode)
2007-12-22 21:42 . 2007-12-22 21:48 <DIR> d

---

D:\Users\Paul\AppData\Roaming\FLV Extract
2007-12-22 21:00 . 2007-12-22 21:00 <DIR> d

---

D:\Users\Paul\AppData\Roaming\vlc
2007-12-22 20:57 . 2007-12-22 20:57 <DIR> d

---

D:\Program Files\VideoLAN
2007-12-22 20:52 . 2007-12-22 20:52 <DIR> d

---

D:\Program Files\WinPcap
2007-12-22 20:52 . 2007-12-22 20:52 46 --a

---

D:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\Users\All Users\DonationCoder
2007-12-22 20:50 . 2007-12-22 20:50 <DIR> d

---

D:\ProgramData\DonationCoder
2007-12-22 20:50 . 2007-12-22 21:32 <DIR> d

---

D:\Program Files\URLSnooper2
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\Users\All Users\WorldWinner.com
2007-12-18 23:41 . 2007-12-18 23:41 <DIR> d

---

D:\ProgramData\WorldWinner.com
2007-12-18 20:36 . 2007-12-18 20:36 <DIR> d

---

D:\Program Files\SopCast
2007-12-18 10:48 . 2007-12-18 10:48 159,458 --a

---

D:\Windows\System32\nvapps.xml
2007-12-16 21:11 . 2007-12-16 21:11 <DIR> d

---

D:\Program Files\Google
2007-12-15 23:27 . 2007-12-15 23:37 681 --a

---

D:\Windows\mozver.dat
2007-12-14 18:52 . 2007-12-14 18:52 <DIR> d

---

D:\Windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 20:02

---

d

---

w D:\ProgramData\WLInstaller
2008-01-13 08:05

---

d

---

w D:\Program Files\Windows Mail
2008-01-12 16:55

---

d

---

w D:\ProgramData\Microsoft Help
2008-01-11 15:18

---

d

---

w D:\Program Files\Winamp
2008-01-10 08:15

---

d

---

w D:\Program Files\Windows Sidebar
2007-12-31 23:52

---

d

---

w D:\ProgramData\NVIDIA
2007-12-14 00:34

---

d

---

w D:\Program Files\Common Files\InstallShield
2007-12-14 00:33 31,956,512 ----a-w D:\Users\Paul\163.75_forceware_winvista_32bit_english_whql.exe
2007-12-13 15:33

---

d

---

w D:\Program Files\Common Files\Adobe
2007-12-12 22:09

---

d

---

w D:\Program Files\TheWeatherNetwork
2007-12-12 10:54 87,040 ----a-w D:\Windows\System32\msoert2.dll
2007-12-12 10:54 39,424 ----a-w D:\Windows\System32\ACCTRES.dll
2007-12-12 10:54 205,824 ----a-w D:\Windows\System32\msoeacct.dll
2007-12-12 10:53 49,664 ----a-w D:\Windows\System32\csrsrv.dll
2007-12-12 10:53 376,320 ----a-w D:\Windows\System32\winsrv.dll
2007-12-12 10:53 374,456 ----a-w D:\Windows\System32\mcupdate_GenuineIntel.dll
2007-12-12 10:52 86,016 ----a-w D:\Windows\System32\icfupgd.dll
2007-12-12 10:52 63,488 ----a-w D:\Windows\system32\drivers\mpsdrv.sys
2007-12-12 10:52 61,952 ----a-w D:\Windows\System32\cmifw.dll
2007-12-12 10:52 414,208 ----a-w D:\Windows\System32\msscp.dll
2007-12-12 10:52 396,800 ----a-w D:\Windows\System32\MPSSVC.dll
2007-12-12 10:52 392,192 ----a-w D:\Windows\System32\FirewallAPI.dll
2007-12-12 10:52 23,040 ----a-w D:\Windows\system32\drivers\tunnel.sys
2007-12-12 10:52 178,688 ----a-w D:\Windows\System32\iphlpsvc.dll
2007-12-12 10:52 16,896 ----a-w D:\Windows\System32\wfapigp.dll
2007-12-12 10:52 15,360 ----a-w D:\Windows\system32\drivers\TUNMP.SYS
2007-12-12 10:51 8,147,968 ----a-w D:\Windows\System32\wmploc.DLL
2007-12-12 10:51 7,680 ----a-w D:\Windows\System32\spwmp.dll
2007-12-12 10:51 4,096 ----a-w D:\Windows\System32\dxmasf.dll
2007-12-12 10:51 104,448 ----a-w D:\Windows\System32\DWWIN.EXE
2007-12-12 10:51 1,191,936 ----a-w D:\Windows\System32\msxml3.dll
2007-12-12 02:23

---

d

---

w D:\Program Files\Microsoft Works
2007-12-12 02:21

---

d

---

w D:\Program Files\Microsoft.NET
2007-12-12 02:00

---

dcsh--w D:\Program Files\Common Files\WindowsLiveInstaller
2007-12-12 02:00

---

d

---

w D:\Program Files\Windows Live
2007-12-12 01:52 2,400,784 ----a-w D:\Users\Paul\WLinstaller.exe
2007-12-12 01:51

---

d

---

w D:\Users\Paul\AppData\Roaming\Winamp
2007-12-12 01:37

---

d

---

w D:\Program Files\VIA
2007-12-12 01:24

---

d

---

w D:\Program Files\InstallShield Installation Information
2007-12-12 00:47 1,327,104 ----a-w D:\Windows\System32\quartz.dll
2007-12-12 00:46 9,728 ----a-w D:\Windows\System32\LAPRXY.DLL
2007-12-12 00:46 223,232 ----a-w D:\Windows\System32\WMASF.DLL
2007-12-12 00:46 1,335,296 ----a-w D:\Windows\System32\msxml6.dll
2007-12-12 00:45 84,480 ----a-w D:\Windows\System32\INETRES.dll
2007-12-12 00:45 737,792 ----a-w D:\Windows\System32\inetcomm.dll
2007-12-12 00:44 56,320 ----a-w D:\Windows\System32\iesetup.dll
2007-12-12 00:44 52,736 ----a-w D:\Windows\AppPatch\iebrshim.dll
2007-12-12 00:44 26,624 ----a-w D:\Windows\System32\ieUnatt.exe
2007-12-12 00:43 84,992 ----a-w D:\Windows\system32\drivers\srvnet.sys
2007-12-12 00:43 58,368 ----a-w D:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 00:43 130,048 ----a-w D:\Windows\system32\drivers\srv2.sys
2007-12-12 00:43 101,888 ----a-w D:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 00:42 788,992 ----a-w D:\Windows\System32\rpcrt4.dll
2007-12-12 00:42 5,120 ----a-w D:\Windows\System32\wmi.dll
2007-12-12 00:42 3,504,824 ----a-w D:\Windows\System32\ntkrnlpa.exe
2007-12-12 00:42 3,470,520 ----a-w D:\Windows\System32\ntoskrnl.exe
2007-12-12 00:42 152,576 ----a-w D:\Windows\System32\imagehlp.dll
2007-12-12 00:42 12,800 ----a-w D:\Windows\system32\drivers\fs_rec.sys
2007-12-12 00:41 750,080 ----a-w D:\Windows\System32\qmgr.dll
2007-12-12 00:41 633,856 ----a-w D:\Windows\System32\user32.dll
2007-12-12 00:41 2,026,496 ----a-w D:\Windows\System32\win32k.sys
2007-12-12 00:40

---

d

---

w D:\Program Files\Java
2007-12-12 00:38

---

d

---

w D:\Program Files\Common Files\Java
2007-12-12 00:18 53,080 ----a-w D:\Windows\System32\wuauclt.exe
2007-12-12 00:18 43,352 ----a-w D:\Windows\System32\wups2.dll
2007-12-12 00:18 1,712,984 ----a-w D:\Windows\System32\wuaueng.dll
2007-12-12 00:18 1,524,224 ----a-w D:\Windows\System32\wucltux.dll
2007-12-12 00:16 80,896 ----a-w D:\Windows\System32\wudriver.dll
2007-12-12 00:16 549,720 ----a-w D:\Windows\System32\wuapi.dll
2007-12-12 00:16 33,624 ----a-w D:\Windows\System32\wups.dll
2007-12-12 00:14 31,232 ----a-w D:\Windows\System32\wuapp.exe
2007-12-12 00:14 163,000 ----a-w D:\Windows\System32\wuwebv.dll
2007-12-11 23:52 356,352 ----a-w D:\Windows\System32\NVUNINST.EXE
2007-12-11 22:06 86,016 ----a-w D:\Windows\System32\nvsvc.dll
2007-12-11 22:06 81,920 ----a-w D:\Windows\System32\nvmctray.dll
2007-12-11 22:06 8,530,464 ----a-w D:\Windows\System32\nvcpl.dll
2007-12-11 22:06 8,238,688 ----a-w D:\Windows\system32\drivers\nvlddmkm.sys
2007-12-11 22:06 795,104 ----a-w D:\Windows\System32\dpinst.exe
2007-12-11 22:06 753,664 ----a-w D:\Windows\System32\nvcplui.exe
2007-12-11 22:06 7,098,368 ----a-w D:\Windows\System32\nvoglv32.dll
2007-12-11 22:06 6,549,504 ----a-w D:\Windows\System32\nvdisps.dll
2007-12-11 22:06 5,263,360 ----a-w D:\Windows\System32\nvd3dum.dll
2007-12-11 22:06 45,056 ----a-w D:\Windows\System32\nvmccsrs.dll
2007-12-11 22:06 385,024 ----a-w D:\Windows\System32\nvapi.dll
2007-12-11 22:06 356,352 ----a-w D:\Windows\System32\nvudisp.exe
2007-12-11 22:06 35,328 ----a-w D:\Windows\System32\nvcod100.dll
2007-12-11 22:06 35,328 ----a-w D:\Windows\System32\nvcod.dll
2007-12-11 22:06 307,200 ----a-w D:\Windows\System32\nvexpbar.dll
2007-12-11 22:06 3,710,976 ----a-w D:\Windows\System32\nvvitvs.dll
2007-12-11 22:06 3,420,160 ----a-w D:\Windows\System32\nvgames.dll
2007-12-11 22:06 229,376 ----a-w D:\Windows\System32\nvmccs.dll
2007-12-11 22:06 2,498,560 ----a-w D:\Windows\System32\nvwss.dll
2007-12-11 22:06 188,416 ----a-w D:\Windows\System32\nvmccss.dll
2007-12-11 22:06 147,456 ----a-w D:\Windows\System32\nvcolor.exe
2007-12-11 22:06 1,830,912 ----a-w D:\Windows\System32\nvwgf2um.dll
2007-12-11 22:06 1,228,800 ----a-w D:\Windows\System32\nvmobls.dll
2007-10-18 16:31 51,224 ----a-w D:\Windows\System32\sirenacm.dll
2006-11-02 12:49 174 --sha-w D:\Program Files\desktop.ini
.

<pre>
----a-w         6,094,848 2008-01-14 13:28:34  D:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         6,094,848 2008-01-14 13:28:35  D:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         6,094,848 2008-01-14 15:23:01  D:\Program Files\Windows Live\Messenger\msnmsgr  .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-01-13_10.33.37.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 15:27:12 67,584 --s-a-w D:\Windows\bootstat.dat
+ 2008-01-13 19:06:19 67,584 --s-a-w D:\Windows\bootstat.dat
- 2008-01-11 15:17:04 151,552 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 15:28:48 151,552 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 15:17:04 147,456 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
+ 2008-01-14 15:28:49 147,456 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
- 2008-01-11 15:17:04 1,761,280 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-14 15:28:50 1,769,472 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 15:17:04 1,130,496 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 15:28:53 1,130,496 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2000-08-31 13:00:00 163,328 ----a-w D:\Windows\erdnt\subs\ERDNT.EXE
- 2008-01-13 08:15:34 29,926 ----a-r D:\Windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2008-01-13 20:10:49 29,926 ----a-r D:\Windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
- 2008-01-13 14:33:54 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-01-14 07:47:03 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-01-13 15:27:46 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-13 19:10:03 262,144 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-13 14:41:54 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-01-14 07:47:03 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-01-13 15:27:46 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-13 19:09:57 262,144 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-13 19:09:57 262,144 ---ha-w D:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-01-13 14:33:54 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-13 20:32:39 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-13 14:33:54 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-13 20:32:39 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-13 14:33:54 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-13 20:32:39 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-13 15:01:16 262,144 ----a-w D:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-14 15:29:53 262,144 ----a-w D:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-01-13 08:10:16 6,402 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
+ 2008-01-13 19:09:01 6,482 ----a-w D:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236469839-1975715874-2575763945-1000_UserData.bin
- 2008-01-13 08:10:14 49,230 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-13 19:09:00 49,262 ----a-w D:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="D:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:07 1232896]
"ehTray.exe"="D:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"WeatherEye"="D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-01-12 12:00 4484816]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 07:32 1004136]
"NvSvc"="D:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="D:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="D:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;D:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot []
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;D:\Windows\system32\drivers\Envy24HF.sys [2007-03-15 08:56]
S0 OemBiosDevice;Royalty OEM BIOS Extension;D:\Windows\system32\DRIVERS\royal.sys [2007-03-02 07:19]
S3 NPF;NetGroup Packet Filter Driver;D:\Windows\system32\drivers\npf.sys [2007-06-21 15:55]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{889b9a67-a85e-11dc-8f73-806e6f6e6963}]
\shell\AutoRun\command - E:\KAV7EN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{50C413FA-25F9-4C54-EB6C-03AE71A313CE}]
D:\Windows\system32:svchost.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 10:35:38
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-14 10:38:00
ComboFix-quarantined-files.txt 2008-01-14 15:37:52
ComboFix2.txt 2008-01-13 19:12:25
ComboFix3.txt 2008-01-13 15:34:39
ComboFix4.txt 2008-01-11 15:33:51
ComboFix5.txt 2008-01-10 23:40:03
.
2008-01-12 16:56:04 --- E O F ---

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:02 AM, on 14/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
D:\Windows\system32\conime.exe
D:\Windows\Explorer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5527 bytes

Trogan

Hi captaincrash,

Please do the following...

1. Uninstall Windows Messenger again

2. Delete the following Folder in RED:

D:\Program Files\Windows Live

3. Empty the recycle bin

4. Reinstall Windows Messenger

5. Scan with Kaspersky and let me know if Messenger is detected.

captaincrash

Trogan,

Actually this afternoon i deleted the msn.exe file through Kaspersky, it didnt limit my access to log onto MSN and now it is not finding anything in the scan.

Computer is running great, only issue is that my C drive has a red X in place of the drive icon... not sure what this is....

Trogan

I'm not sure either, sorry.

You could ask in the Operating System Forum.

Could you post a new HijackThis log, so I can give it a final look.

captaincrash

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:10 PM, on 15/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Windows\system32\conime.exe
D:\Windows\Explorer.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 5695 bytes

Trogan

Hi captaincrash,

There is a newer Java update that you should download.

Updating Java:

• Download the latest version of Java(TM) SE Runtime Environment 6 update4.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

Apart from that, the HijackThis log is clean.

Do you have a Firewall running?