Computer possibly compromised

[quaxo]

Seems my computer, as well as a few other computers of people at an office I do work at, have been compromised. There has been access to my Gmail account from China (according to a message to me from Gmail) in the past few days, my Warcraft account has been hacked, and two other people I know at this office have had their Hotmail accounts accessed and used to spam people in their contacts in the last two days.

I did a full scan of all of my computers with Kaspersky Internet Security 2010 (which is always running on them anyway and automatically updates daily) and came up with nothing.

If one of you fine fellows could have a look at my other logs and see if you see anything suspicious, I would much appreciate it.

SAS found 6 tracking cookies. I was familiar with where all came from.

Code: [Select]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/24/2010 at 10:40 AM

Application Version : 4.35.1002

Core Rules Database Version : 4846
Trace Rules Database Version: 2658

Scan type       : Quick Scan
Total Scan Time : 01:47:07

Memory items scanned      : 634
Memory threats detected   : 0
Registry items scanned    : 525
Registry threats detected : 0
File items scanned        : 93216
File threats detected     : 6

Adware.Tracking Cookie
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\noah@questionmarket[2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\noah@doubleclick[1].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\noah@serving-sys[2].txt
C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Cookies\noah@atdmt[1].txt
MBAM Log

Code: [Select]

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4029

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/24/2010 11:48:38 AM
mbam-log-2010-04-24 (11-48-38).txt

Scan type: Quick scan
Objects scanned: 112204
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT Log

Code: [Select]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:12:43 AM, on 4/24/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\System32\mobsync.exe
C:\World of Warcraft\Launcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Noah\Downloads\stealth.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [avp] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O20 - AppInit_DLLs: acaptuser32.dll,C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit (mi-raysat_3dsmax2010_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 12196 bytes


[Dr Jay]

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\combo-fix.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
• When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

[quaxo]

Ok, here's that log:

Code: [Select]

ComboFix 10-04-21.01 - Noah 04/25/2010   8:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3070.1548 [GMT 7:00]
Running from: c:\users\Noah\Desktop\combo-fix.exe
Command switches used :: /stepdel
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500
c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500
c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500\desktop.ini
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
c:\windows\system32\KBL.LOG

.
(((((((((((((((((((((((((   Files Created from 2010-03-25 to 2010-04-25  )))))))))))))))))))))))))))))))
.

2010-04-25 01:23 . 2010-04-25 01:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-24 04:32 . 2010-04-24 04:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Malwarebytes
2010-04-24 04:32 . 2010-03-29 17:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 04:31 . 2010-04-24 04:31 -------- d-----w- c:\programdata\Malwarebytes
2010-04-24 04:31 . 2010-04-24 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 04:31 . 2010-03-29 17:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 01:29 . 2010-04-24 01:29 52224 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-24 01:29 . 2010-04-24 01:29 117760 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-24 01:28 . 2010-04-24 01:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com
2010-04-16 05:32 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 05:32 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 05:32 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 05:32 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-16 05:32 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 05:31 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 05:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-16 05:28 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 05:28 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 05:28 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 05:27 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-10 03:06 . 2010-04-10 03:06 -------- d-----w- c:\windows\system32\Adobe
2010-04-05 04:01 . 2010-04-05 04:01 -------- d-----w- c:\program files\MagicISO
2010-04-05 02:14 . 2010-04-05 02:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-29 09:09 . 2010-04-02 01:31 -------- d-----w- c:\users\Noah\AppData\Roaming\skypePM
2010-03-29 09:04 . 2010-04-02 01:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Skype
2010-03-29 09:02 . 2010-04-02 01:39 -------- d-----w- c:\programdata\Skype

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 05:39 . 2009-10-30 01:46 111336 ----a-w- c:\programdata\nvModes.dat
2010-04-24 01:26 . 2009-11-06 01:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 03:46 . 2009-11-23 02:14 -------- d-----w- c:\users\Noah\AppData\Roaming\Free Download Manager
2010-04-23 03:46 . 2009-10-16 02:06 -------- d-----w- c:\programdata\Kaspersky Lab
2010-04-18 06:15 . 2009-11-29 05:12 -------- d-----w- c:\users\Noah\AppData\Roaming\vlc
2010-04-18 04:52 . 2010-02-22 05:05 -------- d-----w- c:\users\Noah\AppData\Roaming\dvdcss
2010-04-17 05:26 . 2008-03-07 18:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 05:33 . 2008-03-07 18:56 -------- d-----w- c:\programdata\Microsoft Help
2010-04-16 02:37 . 2009-12-06 03:24 -------- d-----w- c:\program files\Google
2010-04-05 04:03 . 2009-10-16 03:20 -------- d-----w- c:\users\Noah\AppData\Roaming\uTorrent
2010-04-02 09:27 . 2008-07-19 08:52 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-02 01:36 . 2008-03-07 20:04 -------- d-----w- c:\program files\Java
2010-03-29 09:09 . 2010-03-29 09:09 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-03-29 01:14 . 2009-12-19 09:31 680 ----a-w- c:\users\Noah\AppData\Local\d3d9caps.dat
2010-03-21 02:49 . 2010-03-21 02:49 -------- d-----w- c:\program files\IObit
2010-03-09 06:45 . 2008-07-19 09:15 -------- d-----w- c:\programdata\WildTangent
2010-03-09 06:38 . 2009-11-06 01:57 -------- d-----w- c:\programdata\Media Center Programs
2010-03-08 21:28 . 2010-01-21 04:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 03:16 . 2009-10-16 02:21 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-02 01:52 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-02 01:52 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-02 01:52 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-02 01:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 05:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 05:42 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 05:42 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-02-27 18:47 . 2009-10-16 16:47 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2009-11-13 05:37 . 2009-10-16 02:06 4634144 --sha-w- c:\windows\System32\drivers\fidbox.dat
2009-11-13 05:37 . 2009-10-16 02:06 745504 --sha-w- c:\windows\System32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-05-05 1466368]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-03 92704]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-19 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):84,96,33,27,0a,59,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2299539283-4137082352-299996081-1003]
"EnableNotificationsRef"=dword:00000002

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 135664]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-03-12 86016]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
*NewlyCreated* - SASENUM
*NewlyCreated* - SASKUTIL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ    BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
WindowsMobile REG_MULTI_SZ    wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ    WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 10:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\fse4u3p0.default\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Mozilla *Blocked Russian URL*\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 08:24
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

 [0] 0x00690076

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2299539283-4137082352-299996081-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d3,d7,d0,6b,8f,10,99,81,a3,c1,dc,28,51,33,8b,9f,30,0c,dc,ec,67,e6,06,
   3e,e4,68,13,d9,39,fc,72,13,74,f2,09,b1,bf,5f,23,0a,ec,98,3c,8d,70,cd,2b,ce,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-25  08:30:03
ComboFix-quarantined-files.txt  2010-04-25 01:29

Pre-Run: 44,393,619,456 bytes free
Post-Run: 48,444,194,816 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,17
- - End Of File - - 9154B4621CA13F235466BA7EFDF10DBA
Sorry for the delay. I didn't take this laptop home with me last night. After we're done clearing this one, I'll post logs for my desktop at home to make sure it's clean as well.

[Dr Jay]

GMER

Note about this tool:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
• No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[quaxo]

It's not finished scanning and it's already pages long. Should I just attach the txt file when it finishes?

[quaxo]

Complete gmer log.

[recovering disk space - old attachment deleted by admin]

[Dr Jay]

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
• Run the program RootRepeal.exe.
  
• Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  
• Go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
  
• Save it to the Desktop.
• Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

[quaxo]

I've got it running now, but I'll be leaving the shop here in about 20 minutes to head back home and I'll continue it then if it doesn't finish before I leave.

[quaxo]

RootRepeal gave an error, then closed. The error window was empty. After clicking the X close button, a second smaller but equally empty window popped up, then RootRepeal closed.

[recovering disk space - old attachment deleted by admin]

[Dr Jay]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys
bthport.sys


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[quaxo]

Code: [Select]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:29 on 26/04/2010 by Noah (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 177152 bytes [01:27 25/04/2010] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1
C:\WINDOWS\System32\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1
C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [02:24 21/01/2008] [02:24 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1

Searching for "netlogon.dll"
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 592896 bytes [01:27 25/04/2010] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE
C:\WINDOWS\System32\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE
C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [02:24 21/01/2008] [02:24 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE

Searching for "eventlog.dll"
C:\Program Files\CyberLink\PowerDirector\EventLog.dll --a--- 7216 bytes [06:30 13/01/2007] [06:30 13/01/2007] C2A279A458A06DE2C83D842AA042B5A8

Searching for "winlogon.exe"
C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 314368 bytes [01:27 25/04/2010] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452
C:\WINDOWS\System32\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452
C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a--- 314880 bytes [02:24 21/01/2008] [02:24 21/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452

Searching for "comres.dll"
C:\WINDOWS\System32\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD
C:\WINDOWS\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD

Searching for "crypt32.dll"
C:\WINDOWS\System32\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C
C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\crypt32.dll --a--- 977408 bytes [02:24 21/01/2008] [02:24 21/01/2008] D4D86075510C02F887528207D8E0D713
C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6002.18005_none_5d5b3ae7daf59226\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C

Searching for "gpedit.dll"
C:\WINDOWS\System32\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45
C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_ce322c9564e76885\gpedit.dll --a--- 936960 bytes [02:24 21/01/2008] [02:24 21/01/2008] E3DDEB38C6303086F79C6B7E83C372C8
C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6002.18005_none_d01da5a1620933d1\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45

Searching for "rundll32.exe"
C:\WINDOWS\System32\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A
C:\WINDOWS\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_d5ce8f93adff8210\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A

Searching for "sfc.dll"
C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 4608 bytes [01:27 25/04/2010] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\WINDOWS\System32\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\WINDOWS\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_a735c34c5c31a578\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8

Searching for "svchost.exe"
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 21504 bytes [01:27 25/04/2010] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF
C:\WINDOWS\System32\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF
C:\WINDOWS\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF

Searching for "cngaudit.dll"
C:\WINDOWS\ERDNT\cache\cngaudit.dll --a--- 11776 bytes [01:27 25/04/2010] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\WINDOWS\System32\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a--- 6144 bytes [01:27 25/04/2010] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6
C:\WINDOWS\System32\drivers\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6
C:\WINDOWS\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6

Searching for "wscntfy.exe"
No files found.

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 19944 bytes [01:27 25/04/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\WINDOWS\System32\drivers\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

Searching for "bthport.sys"
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_00899617\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_03301a54\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_c206c850\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_cf39a24e\bthport.sys --a--- 220160 bytes [10:25 02/11/2006] [08:55 02/11/2006] 4A74BBB2B6761789F42A6613479BDB1D
C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_f5996c35\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B
C:\WINDOWS\System32\drivers\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.16682_none_700a06c9bea9b8da\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.20824_none_70d68596d794e0d3\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:35 29/04/2008] 57DFAC97330E986F845B16B29314D21F
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18000_none_7244c43bbb913795\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18064_none_7207e5dbbbbe4497\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.22168_none_729583ced4d849bd\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:43 29/04/2008] 9F299C5274672900591E7C616D725F56
C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6002.18005_none_74303d47b8b302e1\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB

-=End Of File=-

[Dr Jay]

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

[quaxo]

I've managed to download the installer, but so far the installer hasn't been able to download the rest of the program. The internet at my current location isn't that great so I'll have to try this in about 3-4 hours when I get home.

[Dr Jay]

ok

[quaxo]

Finally got this to download and scan. Didn't detect anything.

Code: [Select]

ESETSmartInstaller@High as downloader log:
Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:The operation completed successfully.
ESETSmartInstaller@High as downloader log:
Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:Cannot create a file when that file already exists.
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=04ab12bcc15cd643b9d6b91d41a57cdf
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-27 04:31:58
# local_time=2010-04-27 11:31:58 (+0700, SE Asia Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1280 16777215 100 0 13405978 13405978 0 0
# compatibility_mode=5892 16776573 100 100 0 109860867 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=193020
# found=0
# cleaned=0
# scan_time=10979