win32.small.ca HELP ME

[Campil]

How do i remove this virus? I don't want to have to keep shutting down because it won't let me access any of my programs. Here is a Hijackthis log:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:57:10 AM, on 10/1/2010

Platform: Windows Vista SP2 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18943)

Boot mode: Normal

 

Running processes:

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe

C:\Program Files\IObit\IObit Security 360\is360tray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Users\xayana\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\wuauclt.exe

C:\Users\xayana\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Users\xayana\AppData\Local\Google\Chrome\Application\chrome.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll

O4 - HKLM\..\Run: [bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe"

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\xayana\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: Download with ImTOO Download YouTube Video - C:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\xayana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk

O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.23.0.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\Windows\system32\libusbd-nt.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

 

--

End of file - 11203 bytes

[Superdave]

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

 

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

 

Open HijackThis and select Do a system scan only

 

Place a check mark next to the following entries: (if there)

 

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)

 

Important: Close all open windows except for HijackThis and then click Fix checked.

 

Once completed, exit HijackThis.

 

***************************************

SUPERAntiSpyware

 

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

 

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

 

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

 

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

•Please leave the others unchecked

 

•Click the Close button to leave the control center screen.

 

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

 

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

 

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

 

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

 

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

*****************************************

Please download Malwarebytes Anti-Malware from here.

 

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.

Extra Note:

 

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

***********************************

Download Security Check by screen317 from one of the following links and save it to your desktop.

 

Link 1

Link 2

 

* Unzip SecurityCheck.zip and a folder named Security Check should appear.

* Open the Security Check folder and double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.

 

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[Campil]

Results of screen317's Security Check version 0.99.5

Windows Vista Service Pack 2 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

McAfee SecurityCenter

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 14

Java SE Runtime Environment 6 Update 1

Out of date Java installed!

Adobe Flash Player 10.0.45.2

Adobe Reader 9

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

McAfee VIRUSS~1 mcshield.exe

````````````````````````````````

DNS Vulnerability Check:

 

``````````End of Log````````````

[enoskype]

Hi Superdave,

 

FYI,

Campil still has outdated Java and Adobe reader since August according to his post HERE in his different thread in this section.

[Superdave]

It appears he/she doesn't follow instructions well. I'm still waiting for the other logs.

[Campil]

I'll try to get the logs in as soon as possible. The virus won't let me go into the internet and other programs. So I have to keep shutting down once and a while.

[Superdave]

The virus won't let me go into the internet and other programs

It would have been nice to know that from the start.

 

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

**********************************

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

Save Rkill to your desktop.

 

There are 4 different versions. If one of them won't run then download and try to run the other one.

 

Vista and Win7 users need to right click Rkill and choose Run as Administrator

 

 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

 

* Rkill.exe

* Rkill.com

* Rkill.scr

* Rkill.pif

 

Once you've gotten one of them to run then try to immediately run the following.

[Campil]

Dave the SAS log is too long. How do i post it?

[Superdave]

Can you attach it?

[Campil]

It says upload errors when i try.

[Superdave]

Please send a pm to the administrator and tell him your problems to see if he can sort them out.

[Campil]

Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

 

Database version: 4731

 

Windows 6.0.6001 Service Pack 2

Internet Explorer 8.0.6001.18943

 

10/4/2010 6:40:17 AM

mbam-log-2010-10-04 (06-40-17).txt

 

Scan type: Full scan (C:\|D:\|)

Objects scanned: 494821

Time elapsed: 2 hour(s), 57 minute(s), 59 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Qoobox\Quarantine\C\wow.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Users\xayana\AppData\Local\lbrenr.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Users\xayana\AppData\Local\uqoxocig.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Users\xayana\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.

[Superdave]

Please download ComboFix http://img7.imageshack.us/img7/4930/combofix.gif from BleepingComputer.com

 

Alternate link: GeeksToGo.com

 

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

 

If you have problems with ComboFix usage, see How to use ComboFix

[Campil]

ComboFix 10-10-03.03 - xayana 10/04/2010 15:34:37.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.2.1252.1.1033.18.3070.2056 [GMT -5:00]

Running from: c:\users\xayana\Desktop\commy.exe.exe

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

* Resident AV is active

 

.

 

((((((((((((((((((((((((( Files Created from 2010-09-04 to 2010-10-04 )))))))))))))))))))))))))))))))

.

 

2010-10-04 20:46 . 2010-10-04 20:47 -------- d-----w- c:\users\xayana\AppData\Local\temp

2010-10-04 20:46 . 2010-10-04 20:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2010-10-04 20:46 . 2010-10-04 20:46 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-10-04 20:46 . 2010-10-04 20:46 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-10-02 15:06 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-10-02 12:40 . 2010-10-02 12:40 -------- d-----w- c:\windows\CheckSur

2010-10-02 00:30 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-02 00:30 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-01 23:37 . 2010-10-01 23:38 63488 ----a-w- c:\users\xayana\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-10-01 23:37 . 2010-10-01 23:37 52224 ----a-w- c:\users\xayana\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-10-01 23:37 . 2010-10-01 23:38 117760 ----a-w- c:\users\xayana\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-10-01 23:37 . 2010-10-01 23:37 -------- d-----w- c:\users\xayana\AppData\Roaming\SUPERAntiSpyware.com

2010-10-01 23:37 . 2010-10-01 23:37 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-10-01 17:54 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-10-01 16:05 . 2010-10-01 16:05 -------- d-----w- c:\users\xayana\AppData\Roaming\Malwarebytes

2010-10-01 16:05 . 2010-10-01 16:05 -------- d-----w- c:\programdata\Malwarebytes

2010-10-01 16:05 . 2010-10-02 00:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-30 22:31 . 2010-09-30 22:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2010-09-30 22:05 . 2010-10-04 20:07 -------- d-----w- c:\program files\Windows Live Safety Center

2010-09-30 20:05 . 2010-09-30 20:05 -------- d-----w- c:\programdata\Yahoo!

2010-09-30 20:02 . 2009-03-08 11:33 109568 ----a-w- c:\windows\system32\PDMSetup.exe

2010-09-30 20:02 . 2009-03-08 11:33 107520 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2010-09-30 20:02 . 2009-03-08 11:33 107008 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2010-09-30 20:02 . 2009-03-08 11:33 103936 ----a-w- c:\windows\system32\SetDepNx.exe

2010-09-30 20:02 . 2009-03-08 11:32 169472 ----a-w- c:\windows\system32\iexpress.exe

2010-09-30 20:02 . 2009-03-08 11:31 45568 ----a-w- c:\windows\system32\mshta.exe

2010-09-29 13:21 . 2010-09-29 13:22 -------- d-----w- C:\acc0b40cb8b192485da00ba1b1

2010-09-29 08:30 . 2010-06-22 12:57 2048 ----a-w- c:\windows\system32\tzres.dll

2010-09-28 00:15 . 2010-09-28 00:15 -------- d-----w- c:\program files\Feedback Tool

2010-09-16 20:09 . 2010-09-16 20:09 -------- d-----w- c:\users\xayana\AppData\Roaming\IObit

2010-09-15 11:27 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll

2010-09-15 11:27 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe

2010-09-15 11:27 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL

2010-09-15 11:27 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll

2010-09-09 20:32 . 2010-09-09 20:32 -------- d-----w- c:\users\xayana\Office Genuine Advantage

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-04 20:21 . 2010-08-23 21:55 -------- d-----w- c:\program files\Steam

2010-10-04 20:19 . 2007-11-27 11:01 -------- d-----w- c:\programdata\NVIDIA

2010-10-04 20:18 . 2010-07-03 15:24 37013 ----a-w- c:\programdata\nvModes.dat

2010-10-03 21:15 . 2007-11-27 11:20 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-10-03 03:05 . 2010-05-23 22:39 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-10-03 03:05 . 2008-06-26 02:47 233960 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-10-02 18:52 . 2008-10-17 00:46 -------- d-----w- c:\users\xayana\AppData\Roaming\Xfire

2010-10-02 17:52 . 2008-10-17 00:46 -------- d-----w- c:\programdata\Xfire

2010-10-02 00:18 . 2008-02-25 04:19 -------- d-----w- c:\program files\Avi Player

2010-10-01 01:27 . 2008-02-28 02:44 7690 ----a-w- c:\users\xayana\AppData\Roaming\wklnhst.dat

2010-09-30 22:09 . 2008-02-25 05:56 -------- d-----w- c:\programdata\Yahoo! Companion

2010-09-30 20:05 . 2007-11-27 11:19 -------- d-----w- c:\program files\Yahoo!

2010-09-29 13:22 . 2010-04-21 23:40 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-20 20:16 . 2010-02-20 03:33 -------- d-----w- c:\program files\Common Files\Steam

2010-09-16 20:18 . 2007-11-27 11:11 -------- d-----w- c:\program files\Microsoft Works

2010-09-16 08:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-09-16 08:08 . 2008-03-02 01:31 -------- d-----w- c:\programdata\Microsoft Help

2010-09-01 14:31 . 2010-09-01 14:30 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-09-01 14:31 . 2010-09-01 14:36 53632 ----a-w- c:\users\xayana\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-09-01 14:31 . 2010-09-01 14:30 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-09-01 14:30 . 2009-06-24 02:08 -------- d-----w- c:\programdata\Electronic Arts

2010-08-28 18:33 . 2010-08-28 18:33 -------- d-----w- c:\program files\AviSynth 2.5

2010-08-28 18:32 . 2008-03-02 02:54 -------- d-----w- c:\program files\Red Kawa

2010-08-28 18:30 . 2009-08-18 20:12 -------- d-----w- c:\users\xayana\AppData\Roaming\Azureus

2010-08-28 18:28 . 2010-08-28 18:15 721694 ----a-w- c:\users\xayana\AppData\Roaming\Neoretix\TubeHunter Ultra\unins000.exe

2010-08-28 18:18 . 2010-08-28 18:18 8432064 ----a-w- c:\users\xayana\AppData\Roaming\Azureus\tmp\AZU1769716333555898706.tmp\Vuze_4.5.0.2a_win32.exe

2010-08-28 18:15 . 2010-08-28 18:15 -------- d-----w- c:\program files\WinPcap

2010-08-28 18:15 . 2010-08-28 18:15 -------- d-----w- c:\users\xayana\AppData\Roaming\Neoretix

2010-08-28 18:11 . 2010-08-28 18:11 -------- d-----w- c:\program files\Free iPod Video Converter

2010-08-28 17:34 . 2010-08-28 17:34 -------- d-----w- c:\program files\Cucusoft

2010-08-27 18:36 . 2010-03-24 23:22 -------- d-----w- c:\program files\SystemRequirementsLab

2010-08-27 18:36 . 2010-08-27 18:36 92280 ----a-w- c:\users\xayana\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll

2010-08-27 18:36 . 2010-03-24 23:22 -------- d-----w- c:\users\xayana\AppData\Roaming\SystemRequirementsLab

2010-08-23 01:52 . 2008-04-10 22:30 -------- d-----w- c:\users\xayana\AppData\Roaming\Apple Computer

2010-08-23 01:51 . 2008-04-10 02:30 -------- d-----w- c:\programdata\Apple

2010-08-22 15:24 . 2006-11-02 10:25 51200 ----a-w- c:\windows\Inf\infpub.dat

2010-08-22 15:11 . 2010-08-22 15:11 -------- d-----w- c:\program files\Realtek

2010-08-22 15:11 . 2006-11-02 10:25 143360 ----a-w- c:\windows\Inf\infstrng.dat

2010-08-22 15:11 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstor.dat

2010-08-22 05:06 . 2010-08-03 16:52 0 ----a-w- c:\users\xayana\AppData\Local\Tlajewe.bin

2010-08-22 04:57 . 2010-08-03 16:52 1098 ----a-w- c:\users\xayana\AppData\Local\Jnuyepopepacu.dat

2010-08-21 18:47 . 2008-10-17 00:46 -------- d-----w- c:\program files\Xfire

2010-08-21 18:45 . 2010-08-21 18:41 -------- d--h--w- c:\program files\Temp

2010-08-21 18:41 . 2007-11-27 10:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-21 18:41 . 2007-11-27 10:59 319456 ----a-w- c:\windows\DIFxAPI.dll

2010-08-21 15:37 . 2010-08-21 15:37 -------- d-----w- c:\program files\Trend Micro

2010-08-21 04:36 . 2010-08-09 04:36 452104 ----a-w- c:\users\xayana\AppData\Roaming\Real\Update\setup3.12\setup.exe

2010-08-20 23:12 . 2007-11-27 11:07 -------- d---a-w- c:\program files\Common Files\LightScribe

2010-08-20 21:38 . 2010-08-20 21:38 -------- d-----w- c:\programdata\IObit

2010-08-20 21:38 . 2010-08-20 21:38 -------- d-----w- c:\program files\IObit

2010-08-19 23:13 . 2010-08-19 23:13 -------- d-----w- c:\programdata\Driver Whiz

2010-08-19 16:14 . 2010-08-19 16:14 -------- d-----w- c:\programdata\Office Genuine Advantage

2010-08-19 03:39 . 2008-04-20 15:18 -------- d-----w- c:\users\xayana\AppData\Roaming\Ventrilo

2010-08-16 20:53 . 2010-07-29 23:09 -------- d-----w- c:\program files\Guild Wars

2010-08-14 15:38 . 2010-08-28 18:15 2596864 ----a-w- c:\users\xayana\AppData\Roaming\Neoretix\TubeHunter Ultra\TubeHunter.exe

2010-08-10 17:14 . 2010-08-10 17:14 -------- d-----w- c:\users\xayana\AppData\Roaming\NVIDIA

2010-08-10 17:13 . 2010-07-03 14:12 -------- d-----w- c:\program files\NVIDIA Corporation

2010-08-10 14:31 . 2010-08-12 22:20 1328504 ----a-w- c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe

2010-08-10 14:31 . 2010-08-12 22:20 724992 ----a-w- c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll

2010-08-08 05:46 . 2010-08-07 05:07 -------- d-----w- c:\users\xayana\AppData\Roaming\Audacity

2010-08-01 20:51 . 2009-11-27 08:36 99 ----a-w- c:\users\xayana\jagex_runescape_preferences2.dat

2010-08-01 20:40 . 2009-11-27 08:35 46 ----a-w- c:\users\xayana\jagex_runescape_preferences.dat

2010-08-01 20:39 . 2010-08-01 20:39 0 ----a-w- c:\users\xayana\jagex__preferences3.dat

2010-07-27 13:46 . 2009-02-21 13:57 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2010-07-27 13:46 . 2009-02-21 13:57 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2010-07-26 01:19 . 2010-07-28 21:00 52224 ----a-w- c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll

2010-07-26 01:19 . 2010-07-28 21:00 101376 ----a-w- c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

2010-07-23 22:32 . 2010-08-28 18:15 28672 ----a-w- c:\users\xayana\AppData\Roaming\Neoretix\TubeHunter Ultra\WSDll.dll

2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll

2007-08-24 13:52 . 2008-02-25 00:50 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2007-11-27 10:24 . 2007-11-27 10:19 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-25 39408]

"Google Update"="c:\users\xayana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"Steam"="c:\program files\Steam\Steam.exe" [2010-08-23 1242448]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=ma_cmidn.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Orbit.lnk

backup=c:\windows\pss\Orbit.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk

backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKLM\~\startupfolder\C:^Users^xayana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]

path=c:\users\xayana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk

backup=c:\windows\pss\IMVU.lnk.Startup

backupExtension=.Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

2008-10-31 19:22 50480 ----a-w- c:\program files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

2009-02-01 16:52 4608 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]

2009-11-07 00:18 323392 ----a-w- c:\program files\DNA\btdna.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-09-03 20:59 133104 ----atw- c:\users\xayana\AppData\Local\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]

2007-10-04 02:02 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]

2009-05-15 02:03 1103216 ----a-w- c:\program files\Download Manager\DLM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2006-12-08 16:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]

2009-10-29 12:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]

2008-07-21 23:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2010-06-07 22:48 13917800 ----a-w- c:\windows\System32\nvcpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2010-06-07 22:48 110696 ----a-w- c:\windows\System32\nvmctray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]

2010-06-07 22:48 1331816 ----a-w- c:\windows\System32\nvsvc.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]

2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]

2009-11-26 03:27 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]

2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-08-23 21:56 1242448 ----a-w- c:\program files\Steam\Steam.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]

2007-04-07 10:56 54936 ----a-w- c:\windows\System32\jureg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-05-21 16:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-11-25 04:23 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2008-12-30 05:14 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]

2008-01-19 07:36 2153472 ----a-w- c:\windows\System32\oobefldr.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

R2 Akamai;Akamai;c:\windows\System32\svchost.exe [2008-01-19 21504]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 jnv4_mib;jnv4_mib;c:\users\xayana\AppData\Local\Temp\jnv4_mib.sys [x]

R3 L6UX2;Service - Line 6 UX2;c:\windows\system32\Drivers\L6UX2.sys [2008-10-24 530560]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-06-15 3583592]

R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2007-09-13 25760]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R3 XDva279;XDva279;c:\windows\system32\XDva279.sys [x]

R3 XDva281;XDva281;c:\windows\system32\XDva281.sys [x]

R3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\DRIVERS\xpadfl02.sys [2006-12-24 27904]

R4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [x]

R4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [x]

R4 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [2009-12-04 103280]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-05-23 721904]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

R4 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2009-11-13 46824]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]

S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]

S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]

S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [2009-08-24 126392]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]

S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]

S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-10-24 13952]

S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-10-24 28800]

S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

 

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955406299-1574123280-2996431306-1000Core.job

- c:\users\xayana\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 20:59]

 

2010-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2955406299-1574123280-2996431306-1000UA.job

- c:\users\xayana\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 20:59]

 

2010-09-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

 

2010-09-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

 

2010-10-04 c:\windows\Tasks\Norton Security Scan for xayana.job

- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-04-22 15:06]

 

2010-10-04 c:\windows\Tasks\User_Feed_Synchronization-{880495CF-AA0C-4812-9E27-8B5B14FF8C6B}.job

- c:\windows\system32\msfeedssync.exe [2010-09-30 04:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\xayana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk

DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.23.0.cab

FF - ProfilePath - c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=

FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=

FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll

FF - component: c:\program files\MSN Toolbar\Platform\5.0.1423.0\Firefox\components\DomBridge.dll

FF - component: c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll

FF - component: c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

FF - component: c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll

FF - plugin: c:\program files\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll

FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\users\xayana\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\users\xayana\AppData\Local\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll

FF - plugin: c:\users\xayana\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll

FF - plugin: c:\users\xayana\AppData\Roaming\Mozilla\Firefox\Profiles\gqsmtw6o.default\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll

FF - plugin: c:\windows\system32\C2MP\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-Avi Player - c:\program files\Avi Player\AviPlayer.exe

 

 

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCCUJobMgr]

"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]

"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-2955406299-1574123280-2996431306-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

"??"=hex:bd,a5,f2,eb,82,ca,34,df,e6,53,8a,51,95,70,62,13,8c,18,e5,8a,b1,b2,5e,

22,47,52,db,58,cf,f4,cd,da,b5,8d,fe,9e,12,6e,05,03,a9,96,fd,a2,8a,8d,25,9b,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

 

[HKEY_USERS\S-1-5-21-2955406299-1574123280-2996431306-1000\Software\SecuROM\License information*]

@Allowed: (Read) (RestrictedCode)

"datasecu"=hex:44,fd,46,ac,12,1e,20,a1,ed,29,41,a2,3c,c5,a9,f9,dc,07,6c,fd,d7,

4b,fb,09,c7,a4,5b,40,23,a4,1c,82,79,d8,c4,21,65,d9,c3,bf,42,31,22,13,07,1a,\

"rkeysecu"=hex:aa,ad,af,f3,fe,49,4f,fc,6a,b0,58,61,f6,18,3d,9e

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2010-10-04 15:52:30

ComboFix-quarantined-files.txt 2010-10-04 20:52

ComboFix2.txt 2010-09-30 23:01

ComboFix3.txt 2010-08-22 05:57

 

Pre-Run: 241,605,246,976 bytes free

Post-Run: 241,587,437,568 bytes free

 

- - End Of File - - 2F695E342C37DA2BD5A88D41CD2FAA87

[Superdave]

P2P - I see you have P2P software installed on your machine (Azureus) . We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

 

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

 

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

*******************************************

Update Your Java (JRE)

 

Old versions of Java have vulnerabilities that malware can use to infect your system.

 

First Verify your Java Version

 

If there are any other version(s) installed then update now.

 

Get the new version (if needed)

 

If your version is out of date install the newest version of the Sun Java Runtime Environment.

 

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

 

Be sure to close ALL open web browsers before starting the installation.

 

Remove any old versions

 

1. Download JavaRa and unzip the file to your Desktop.

2. Open JavaRA.exe and choose Remove Older Versions

3. Once complete exit JavaRA.

4. Run CCleaner.

 

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

 

*********************************

Please download the newest version of Adobe Acrobat Reader from Adobe.com

 

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.

Go to the Control Panel and enter Add or Remove Programs.

Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

 

Once old versions are gone, please install the newest version.

***************************************************

I strongly recommend that you remove Ask from your computer because it;

 

•Promotes its toolbars on sites targeted to kids.

 

•Promotes its toolbars through ads that appear to be part of other companies' sites.

 

•Promotes its toolbars through other companies' spyware.

 

•Installs without any disclosure whatsoever and without any consent whatsoever.

 

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

 

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

 

See Here for more info.

 

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

 

•AskBarDis or anything related to Ask

 

Then please find and delete this folder in bold (if present):

C:\Program Files\AskBarDis. or anything related to Ask.

***************************************************

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and links posted for each one)

 

* Copy the file path in the below Code box:

 

c:\windows\system32\XDva279.sys 
c:\windows\system32\XDva281.sys  

 

* At the upload site, click once inside the window next to Browse.

* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.

* Next click Submit file

* Your file will possibly be entered into a queue which normally takes less than a minute to clear.

* This will perform a scan across multiple different virus scanning engines.

* Important: Wait for all of the scanning engines to complete.

**************************************

You have Viewpoint installed.

 

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

 

More information:

 

* ViewMgr.exe - Useless

* Viewpoint to Plunge Into Adware

 

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint

* Viewpoint Manager

* Viewpoint Media Player

* Viewpoint Toolbar

* Viewpoint Experience Technology

*****************************************

 

* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.