Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

random sounds (thunder/voices) comming from comp

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

random sounds (thunder/voices) comming from comp

Unread postby rlindeman » August 25th, 2008, 10:21 pm

I've been hearing some suspicious sounds (voices/thunder) coming from my computer and have spotted several suspicious processes running. I have run both trend micro's online scan and avg. Both pointed to trojan virus and said they were successfully healed. I was wondering if there was any possibility of removing my problem. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:10 PM, on 8/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: iReboot 1.0.0.lnk = C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.Robert-PC (HKLM)
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\Windows\system32\macidwe.exe
O23 - Service: NOBICYT - Unknown owner - C:\Windows\system32\Nobicyt.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\Windows\system32\perfs.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Routing - Unknown owner - C:\Windows\system32\routing.exe
O23 - Service: roxtctm Manages messages (roxtctm) - Unknown owner - C:\Windows\system32\roxtctm.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: sobicyt - Unknown owner - C:\Windows\system32\sobicyt.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\Windows\system32\tdxdowkc.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
O23 - Service: WServing - Unknown owner - C:\Windows\system32\WServing.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9135 bytes
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm
Advertisement
Register to Remove

Re: random sounds (thunder/voices) comming from comp

Unread postby Shaba » August 28th, 2008, 4:14 am

Hi rlindeman

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: random sounds (thunder/voices) comming from comp

Unread postby rlindeman » August 28th, 2008, 7:08 am

I would prefer to not have to reformat to remove this malware if at all possible. I do not deal with any terribly sensitive information on this computer although I have used it to do some online banking through an online website. I was also curious how I could have gotten this particular malware. Was it most likely from downloading software? I greatly appreciate your help!

*edit* it is important to note that this computer is networked and has just now been disconnected. Are the other computers on my network at risk?
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm

Re: random sounds (thunder/voices) comming from comp

Unread postby Shaba » August 28th, 2008, 7:30 am

"I was also curious how I could have gotten this particular malware. Was it most likely from downloading software?"

Pretty impossible to say.

"Are the other computers on my network at risk?"

They might be infected too, yes. If they have similar symptoms, I recommend to start new threads for them.

If so, we will start with this:

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: random sounds (thunder/voices) comming from comp

Unread postby rlindeman » August 28th, 2008, 3:33 pm

here are my updated logs...

ComboFix 08-08-28.02 - Robert 2008-08-28 14:22:45.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1370 [GMT -5:00]
Running from: E:\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\Install.txt
C:\Windows\system32\afinding.exe
C:\Windows\system32\atsxyzd.sys
C:\Windows\system32\comsa32.sys
C:\Windows\system32\macidwe.exe
C:\Windows\system32\Nobicyt.exe
C:\Windows\system32\routing.exe
C:\Windows\system32\roxtctm.exe
C:\Windows\system32\rtl60.bpl
C:\Windows\system32\sobicyt.exe
C:\Windows\system32\tdxdowkc.exe
C:\Windows\system32\WServing.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AFinding
-------\Service_macidwe
-------\Service_perfmons
-------\Service_perfs
-------\Service_Routing
-------\Service_roxtctm
-------\Service_sobicyt
-------\Service_tdxdowkc
-------\Service_WServing


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-24 20:25 . 2008-08-28 14:26 311,540,088 --a------ C:\Windows\MEMORY.DMP
2008-08-23 13:02 . 2008-08-23 13:02 <DIR> d-------- C:\Program Files\CCleaner
2008-08-23 12:58 . 2008-08-23 12:58 <DIR> d-------- C:\Program Files\ToniArts
2008-08-23 12:48 . 2008-08-23 12:48 <DIR> d-------- C:\Program Files\AML Products
2008-08-23 12:48 . 2000-05-22 16:58 608,448 --a------ C:\Windows\System32\comctl32.ocx
2008-08-20 16:29 . 2008-01-17 05:17 3,948 --a------ C:\Windows\System32\drivers\nvphy.bin
2008-08-20 14:29 . 2008-08-20 14:36 <DIR> d-------- C:\Program Files\Driver Sweeper
2008-08-18 16:16 . 2008-07-19 00:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-18 16:16 . 2008-07-18 22:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-18 16:16 . 2008-07-19 00:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-18 16:16 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-18 16:16 . 2008-07-18 22:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-18 16:16 . 2008-07-19 00:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-18 16:16 . 2008-07-19 00:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-18 16:16 . 2008-07-19 00:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-18 16:16 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-17 19:15 . 2008-08-17 19:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-16 12:21 . 2008-08-16 12:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 12:21 . 2007-11-27 22:51 35,216 --a------ C:\Windows\System32\drivers\TMPassthru.sys
2008-08-15 22:20 . 2008-08-15 22:20 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-08-15 20:31 . 2008-08-15 20:31 <DIR> d-------- C:\Users\All Users\WEBREG
2008-08-15 20:31 . 2008-08-15 20:31 <DIR> d-------- C:\ProgramData\WEBREG
2008-08-15 20:30 . 2008-08-15 20:30 <DIR> d-------- C:\Users\Robert\AppData\Roaming\HP
2008-08-15 20:30 . 2008-08-15 20:30 <DIR> d-------- C:\Users\All Users\HPSSUPPLY
2008-08-15 20:30 . 2008-08-15 20:30 <DIR> d-------- C:\ProgramData\HPSSUPPLY
2008-08-15 20:28 . 2008-08-15 20:28 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-08-15 20:28 . 2008-08-15 20:30 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-15 20:28 . 2008-08-15 20:28 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-15 20:27 . 2008-08-15 20:27 <DIR> d-------- C:\Users\All Users\Hewlett-Packard
2008-08-15 20:27 . 2008-08-15 20:27 <DIR> d-------- C:\ProgramData\Hewlett-Packard
2008-08-15 20:26 . 2008-08-15 20:30 <DIR> d-------- C:\Program Files\HP
2008-08-15 20:25 . 2008-08-15 20:41 <DIR> d-------- C:\Users\All Users\HP
2008-08-15 20:25 . 2008-08-15 20:41 <DIR> d-------- C:\ProgramData\HP
2008-08-15 20:25 . 2007-02-01 03:24 258,048 --a------ C:\Windows\System32\hpzids01.dll
2008-08-15 20:25 . 2008-08-20 13:32 130,835 --a------ C:\Windows\hpoins18.dat
2008-08-15 20:25 . 2007-02-28 19:07 6,600 --a------ C:\Windows\hpomdl18.dat
2008-08-15 20:10 . 2008-08-15 20:10 2,560 --a------ C:\Windows\_MSRSTRT.EXE
2008-08-15 00:23 . 2008-08-15 20:03 105,280 --a------ C:\Windows\System32\_BLOCK.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityVert2.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityVert1.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityHorz2.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityHorz1.WB4
2008-08-14 19:27 . 2008-08-14 19:27 <DIR> d-------- C:\Users\All Users\BCR
2008-08-14 19:27 . 2008-08-14 19:27 <DIR> d-------- C:\ProgramData\BCR
2008-08-14 18:51 . 2008-08-14 18:51 <DIR> d-------- C:\Windows\System32\AGEIA
2008-08-14 18:51 . 2008-08-14 18:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 18:51 . 2008-08-14 18:51 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-14 18:50 . 2008-08-14 18:50 <DIR> d-------- C:\Program Files\Capcom
2008-08-14 18:15 . 2008-08-14 18:15 <DIR> d-------- C:\Users\Robert\AppData\Roaming\SystemGadgets
2008-08-14 17:18 . 2008-08-14 17:26 <DIR> d-------- C:\Windows\nvtmpinst
2008-08-13 16:30 . 2008-08-13 16:31 145 --a------ C:\Users\Robert\cleanup.reg
2008-08-13 03:02 . 2008-07-15 20:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 02:08 . 2008-06-26 20:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 02:08 . 2008-06-26 23:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 02:08 . 2008-06-18 22:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 02:08 . 2008-04-18 00:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 02:07 . 2008-04-10 00:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-12 19:58 . 2007-11-14 15:18 553 --a------ C:\Windows\USetup.iss
2008-08-12 19:56 . 2008-08-12 19:56 <DIR> d-------- C:\Windows\System32\RTCOM
2008-08-12 19:54 . 2008-08-12 19:54 <DIR> d-------- C:\Program Files\Realtek
2008-08-12 19:54 . 2008-05-19 18:25 1,933,312 --a------ C:\Windows\System32\MaxxAudioEQ.dll
2008-08-12 19:54 . 2008-07-29 15:42 528,384 --a------ C:\Windows\RtlExUpd.dll
2008-08-12 19:54 . 2008-08-12 19:54 319,488 --a------ C:\Windows\HideWin.exe
2008-08-12 19:54 . 2008-04-30 12:18 159,744 --a------ C:\Windows\System32\MaxxAudioAPO20.dll
2008-08-12 19:54 . 2008-05-13 17:52 143,360 --a------ C:\Windows\System32\FMAPO.dll
2008-08-12 19:54 . 2007-07-30 18:26 126,976 --a------ C:\Windows\System32\MaxxAudioAPO.dll
2008-08-12 18:46 . 2008-08-15 00:00 <DIR> d-------- C:\Program Files\SpeedFan
2008-08-12 18:46 . 2008-08-12 18:46 45 --a------ C:\Windows\System32\initdebug.nfo
2008-08-08 23:17 . 2008-08-08 23:17 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-08-06 06:15 . 2008-08-06 06:14 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-08-06 06:14 . 2008-08-16 12:25 <DIR> d-------- C:\Users\Robert\.housecall6.6
2008-08-05 19:59 . 2008-08-05 20:04 <DIR> d-------- C:\Program Files\RocketDock
2008-08-05 18:43 . 2008-08-05 18:43 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-08-05 16:16 . 2008-08-05 16:16 <DIR> d-------- C:\Users\All Users\Stardock
2008-08-05 16:16 . 2008-08-05 16:16 <DIR> d-------- C:\ProgramData\Stardock
2008-08-05 15:47 . 2008-08-05 21:08 <DIR> d-------- C:\Boot
2008-08-05 15:47 . 2008-01-19 02:45 333,203 --a------ C:\bootmgr
2008-08-05 15:33 . 2008-08-23 15:21 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-05 15:33 . 2008-08-23 15:21 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-04 23:48 . 2008-08-04 23:48 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-08-04 23:47 . 2008-08-04 23:47 <DIR> d-------- C:\Program Files\eRightSoft
2008-08-04 23:26 . 2008-08-04 23:26 <DIR> d-------- C:\Users\Robert\AppData\Roaming\AVS4YOU
2008-08-04 23:26 . 2008-08-04 23:26 <DIR> d-------- C:\Users\All Users\AVS4YOU
2008-08-04 23:26 . 2008-08-04 23:26 <DIR> d-------- C:\ProgramData\AVS4YOU
2008-08-04 23:25 . 2008-08-04 23:28 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-04 23:25 . 2008-08-04 23:28 <DIR> d-------- C:\Program Files\AVS4YOU
2008-08-04 23:25 . 2007-02-27 19:36 1,700,352 --a------ C:\Windows\System32\GdiPlus.dll
2008-08-04 23:25 . 2007-02-27 19:36 974,848 --a------ C:\Windows\System32\mfc70.dll
2008-08-04 23:25 . 2007-02-27 19:36 487,424 --a------ C:\Windows\System32\msvcp70.dll
2008-08-04 23:25 . 2007-02-27 19:36 24,576 --a------ C:\Windows\System32\msxml3a.dll
2008-08-04 23:20 . 2006-08-25 09:45 617,472 --a------ C:\Windows\System32\temp.002
2008-08-04 23:20 . 2004-08-03 23:56 343,040 --a------ C:\Windows\System32\temp.000
2008-08-04 23:20 . 2004-08-09 21:27 151,552 --a------ C:\Windows\System32\temp.001
2008-08-04 23:20 . 2005-02-04 10:21 40,960 --a------ C:\Windows\System32\FxHorizBtn.ocx
2008-08-04 23:20 . 2003-03-06 10:43 36,864 --a------ C:\Windows\System32\FxPanel.ocx
2008-08-04 23:20 . 2001-08-23 06:00 3,584 --a------ C:\Windows\System32\temp.003
2008-08-04 23:20 . 2000-06-13 00:00 2,493 --a------ C:\Windows\System32\COMCTL32.DEP
2008-08-04 23:19 . 2008-08-04 23:19 <DIR> d-------- C:\Users\Robert\AppData\Roaming\Download Manager
2008-08-04 20:54 . 1996-08-30 17:02 13,824 --a------ C:\Windows\System32\LAYOUT.DLL
2008-08-04 20:54 . 1996-06-25 06:46 518 --a------ C:\Windows\System32\LAYOUT.REG
2008-08-03 14:50 . 2008-08-03 14:50 0 --------- C:\Windows\WB.ini
2008-08-02 22:00 . 2008-08-02 22:28 <DIR> d-------- C:\Users\Robert\AppData\Roaming\Winamp
2008-08-02 22:00 . 2008-08-07 18:59 <DIR> d-------- C:\Program Files\Winamp Remote
2008-08-02 22:00 . 2008-08-07 18:50 <DIR> d-------- C:\Program Files\Winamp
2008-08-02 22:00 . 2007-03-07 18:51 129,784 --------- C:\Windows\System32\pxafs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 01:08 --------- d-----w C:\Program Files\Steam
2008-08-23 17:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 21:32 --------- d-----w C:\ProgramData\NVIDIA
2008-08-20 08:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-14 23:51 --------- d-----w C:\Program Files\OpenAL
2008-08-13 08:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-13 08:03 --------- d-----w C:\Program Files\Windows Mail
2008-08-13 00:55 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-08-06 22:19 1,833,504 ----a-w C:\Windows\SkyTel.exe
2008-08-06 22:19 1,202,720 ----a-w C:\Windows\RtlUpd.exe
2008-08-06 22:18 6,265,376 ----a-w C:\Windows\RtHDVCpl.exe
2008-08-06 22:11 2,164,248 ----a-w C:\Windows\system32\drivers\RTKVHDA.sys
2008-08-05 20:43 --------- d-----w C:\ProgramData\Media Center Programs
2008-08-03 20:08 --------- d---a-w C:\ProgramData\TEMP
2008-08-03 20:04 --------- d-----w C:\Program Files\Common Files\Steam
2008-08-01 01:17 --------- d-----w C:\Users\Robert\AppData\Roaming\DAEMON Tools
2008-07-26 17:48 7,281,056 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2008-07-13 02:40 --------- d-----w C:\Program Files\Savage 2 - A Tortured Soul
2008-07-09 02:20 --------- d-----w C:\Program Files\Java
2008-07-08 14:33 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-06-29 19:32 --------- d-----w C:\Program Files\Diablo II
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-04-25 03:27 174 --sha-w C:\Program Files\desktop.ini
2006-05-03 09:06 163,328 --sh--r C:\Windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r C:\Windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-04-22 18:18 1271032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 02:33 125952]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 02:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE" [2007-08-24 03:18 437160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-08 09:33 1232152]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-07-26 12:48 13576736]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-07-26 12:48 92704]
"TMRUBottedTray"="C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 00:18 288088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-06 17:18 6265376 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
iReboot 1.0.0.lnk - C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe [2007-07-26 05:51:12 281600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-07-22 10:53 240376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"VIDC.XFR1"= xfcodec.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 04:39 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-148177899-1021147868-3132030957-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F2E90BEA-78E8-4B28-BF1F-46A12837034F}"= UDP:RPC|C:\Program Files\Microsoft Virtual Server\vssrvc.exe:Virtual Server
"TCP Query User{C047CB96-335B-4755-B868-FF1A1D16BA12}C:\\program files\\starcraft\\starcraft.exe"= UDP:C:\program files\starcraft\starcraft.exe:Starcraft
"UDP Query User{ECE46776-EA2B-49F3-92C3-B42ED5540A84}C:\\program files\\starcraft\\starcraft.exe"= TCP:C:\program files\starcraft\starcraft.exe:Starcraft
"TCP Query User{58F1497C-26F1-4C7F-A36E-CF090975C9F5}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= UDP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"UDP Query User{60E1E945-FCA4-4FD2-A924-0251531CEB37}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= TCP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"TCP Query User{08585456-4AC3-4FD1-AB9B-3E29269C099E}C:\\program files\\videolan\\vlc\\vlc.exe"= UDP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"UDP Query User{72838EF7-5B02-48E1-B1A4-4539546DB45B}C:\\program files\\videolan\\vlc\\vlc.exe"= TCP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"{8FC17F96-D1CE-4BA5-8862-70AC224B4348}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{08C5C278-BEAD-4C89-BAC4-7EC14B1C06AF}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{24341CA8-0ACC-4DCD-A28A-98CB3B7E4327}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{29E12118-C344-4EE6-AA0A-A0407019153E}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FBF12439-0636-47D3-99C8-79DD74C44EB3}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{EFB2A98F-EC5E-4A1C-9B0A-F7C9CB5D3DF2}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{B8940F66-98BD-436D-BA2B-C8657FEAC72E}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= UDP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"UDP Query User{D20FAF7E-E3A6-48C5-99B8-7DFECC7B04ED}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= TCP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"{BA121A2F-F219-4988-9CB8-61352CC84233}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{748FCFE2-FE65-4934-AA60-2473270130F2}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A2F1D4EA-8234-45F1-84FE-E64A4E1D4EC6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D19813F8-3511-4901-965E-DA0D18CB3187}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{097E632E-800A-43D6-8B43-B38BD4A3DBC6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{085D20F2-BD9C-4A6D-9365-2913D96122C8}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{61DE26B8-F7B1-4631-96B7-8ED06776D121}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{2D911054-EC9A-4CF7-B397-E222C85E57CA}D:\\remote programs\\ea\\need for speed carbon\\nfsc.exe"= UDP:D:\remote programs\ea\need for speed carbon\nfsc.exe:NFSC
"UDP Query User{AA766D16-0433-45FE-BB42-996145412F5A}D:\\remote programs\\ea\\need for speed carbon\\nfsc.exe"= TCP:D:\remote programs\ea\need for speed carbon\nfsc.exe:NFSC
"TCP Query User{B7337A82-6711-4DDB-B0C7-711901737895}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7D628829-4140-4AB9-834A-8795E95AA996}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{3207507A-C03F-45E3-9FE2-C1CA2CAEA7FE}C:\\program files\\thq\\gas powered games\\supreme commander - forged alliance\\bin\\forgedalliance.exe"= UDP:C:\program files\thq\gas powered games\supreme commander - forged alliance\bin\forgedalliance.exe:Supreme Commander Forged Alliance Application
"UDP Query User{A6EC222C-02E0-47EF-A3CD-B06D3533753C}C:\\program files\\thq\\gas powered games\\supreme commander - forged alliance\\bin\\forgedalliance.exe"= TCP:C:\program files\thq\gas powered games\supreme commander - forged alliance\bin\forgedalliance.exe:Supreme Commander Forged Alliance Application
"{75C51C14-9DC5-4D10-9643-C4D013349C9B}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{37096941-E718-4CFC-BAF8-4862B39B9666}"= UDP:C:\Program Files\Capcom\Bionic Commando Rearmed\bcr.exe:Bionic Commando Rearmed
"{1140199F-2B06-45E9-8216-5028944EF184}"= TCP:C:\Program Files\Capcom\Bionic Commando Rearmed\bcr.exe:Bionic Commando Rearmed
"TCP Query User{E26D3BF7-69BF-40D5-8C09-3B2097C594AC}C:\\program files\\steam\\steamapps\\express5577@yahoo.com\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\express5577@yahoo.com\counter-strike source\hl2.exe:hl2
"UDP Query User{8E73308E-B455-4F86-AAA3-6DD7AF69B998}C:\\program files\\steam\\steamapps\\express5577@yahoo.com\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\express5577@yahoo.com\counter-strike source\hl2.exe:hl2

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-07-08 09:33]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 09:33]
R2 RUBotted;Trend Micro RUBotted Service;C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe [2007-12-19 00:18]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 13:39]
R2 Virtual Server;Virtual Server;C:\Program Files\Microsoft Virtual Server\vssrvc.exe [2007-05-24 13:36]
R3 TMPassthruMP;TMPassthruMP;C:\Windows\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
R3 vhdbus;Microsoft Virtual Server Storage Bus;C:\Windows\system32\DRIVERS\vhdbus.sys [2007-05-05 04:25]
R3 vmh;Virtual Machine Helper;C:\Program Files\Microsoft Virtual Server\vmh.exe [2007-05-24 13:36]
R3 X10Hid;X10 Hid Device;C:\Windows\system32\Drivers\x10hid.sys [2006-11-17 11:31]
S3 msloop;Microsoft Loopback Adapter Driver;C:\Windows\system32\DRIVERS\loop.sys [2008-01-19 00:55]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-08-03 14:30]
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\Windows\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S4 NOBICYT;NOBICYT;C:\Windows\system32\Nobicyt.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 C:\Windows\Tasks\User_Feed_Synchronization-{8C28E154-F323-4AD7-ADF2-57743A4D4198}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\buy3s08w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.weather.com/weather/local/77 ... centsearch
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 14:26:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\wbload.dll
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WBVista.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Windows\System32\PnkBstrA.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\Windows\System32\WUDFHost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\msiexec.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-08-28 14:30:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 19:30:25

Pre-Run: 10,161,901,568 bytes free
Post-Run: 9,760,534,528 bytes free

320 --- E O F --- 2008-08-20 08:00:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:29 PM, on 8/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: iReboot 1.0.0.lnk = C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.Robert-PC (HKLM)
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 7646 bytes
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm

Re: random sounds (thunder/voices) comming from comp

Unread postby Shaba » August 29th, 2008, 3:39 am

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Driver::
NOBICYT


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: random sounds (thunder/voices) comming from comp

Unread postby rlindeman » August 31st, 2008, 3:09 pm

Here are my new updated logs...
ComboFix 08-08-28.02 - Robert 2008-08-31 13:39:23.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1528 [GMT -5:00]
Running from: E:\Downloads\ComboFix.exe
Command switches used :: C:\Users\Robert\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\install.exe
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NOBICYT


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.

2008-08-24 20:25 . 2008-08-31 05:22 326,781,304 --a------ C:\Windows\MEMORY.DMP
2008-08-23 13:02 . 2008-08-23 13:02 <DIR> d-------- C:\Program Files\CCleaner
2008-08-23 12:58 . 2008-08-23 12:58 <DIR> d-------- C:\Program Files\ToniArts
2008-08-23 12:48 . 2008-08-23 12:48 <DIR> d-------- C:\Program Files\AML Products
2008-08-23 12:48 . 2000-05-22 16:58 608,448 --a------ C:\Windows\System32\comctl32.ocx
2008-08-20 16:29 . 2008-01-17 05:17 3,948 --a------ C:\Windows\System32\drivers\nvphy.bin
2008-08-20 14:29 . 2008-08-20 14:36 <DIR> d-------- C:\Program Files\Driver Sweeper
2008-08-18 16:16 . 2008-07-19 00:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-18 16:16 . 2008-07-18 22:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-18 16:16 . 2008-07-19 00:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-18 16:16 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-18 16:16 . 2008-07-18 22:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-18 16:16 . 2008-07-19 00:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-18 16:16 . 2008-07-19 00:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-18 16:16 . 2008-07-19 00:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-18 16:16 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-17 19:15 . 2008-08-17 19:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-16 12:21 . 2008-08-16 12:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 12:21 . 2007-11-27 22:51 35,216 --a------ C:\Windows\System32\drivers\TMPassthru.sys
2008-08-15 22:20 . 2008-08-15 22:20 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-08-15 20:31 . 2008-08-15 20:31 <DIR> d-------- C:\Users\All Users\WEBREG
2008-08-15 20:31 . 2008-08-15 20:31 <DIR> d-------- C:\ProgramData\WEBREG
2008-08-15 20:30 . 2008-08-15 20:30 <DIR> d-------- C:\Users\Robert\AppData\Roaming\HP
2008-08-15 20:30 . 2008-08-15 20:30 <DIR> d-------- C:\Users\All Users\HPSSUPPLY
2008-08-15 20:30 . 2008-08-15 20:30 <DIR> d-------- C:\ProgramData\HPSSUPPLY
2008-08-15 20:28 . 2008-08-15 20:28 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-08-15 20:28 . 2008-08-15 20:30 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-15 20:28 . 2008-08-15 20:28 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-15 20:27 . 2008-08-15 20:27 <DIR> d-------- C:\Users\All Users\Hewlett-Packard
2008-08-15 20:27 . 2008-08-15 20:27 <DIR> d-------- C:\ProgramData\Hewlett-Packard
2008-08-15 20:26 . 2008-08-15 20:30 <DIR> d-------- C:\Program Files\HP
2008-08-15 20:25 . 2008-08-15 20:41 <DIR> d-------- C:\Users\All Users\HP
2008-08-15 20:25 . 2008-08-15 20:41 <DIR> d-------- C:\ProgramData\HP
2008-08-15 20:25 . 2007-02-01 03:24 258,048 --a------ C:\Windows\System32\hpzids01.dll
2008-08-15 20:25 . 2008-08-20 13:32 130,835 --a------ C:\Windows\hpoins18.dat
2008-08-15 20:25 . 2007-02-28 19:07 6,600 --a------ C:\Windows\hpomdl18.dat
2008-08-15 20:10 . 2008-08-15 20:10 2,560 --a------ C:\Windows\_MSRSTRT.EXE
2008-08-15 00:23 . 2008-08-15 20:03 105,280 --a------ C:\Windows\System32\_BLOCK.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityVert2.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityVert1.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityHorz2.WB4
2008-08-15 00:23 . 2008-08-15 20:08 274 --a------ C:\Windows\System32\_PersonalityHorz1.WB4
2008-08-14 19:27 . 2008-08-14 19:27 <DIR> d-------- C:\Users\All Users\BCR
2008-08-14 19:27 . 2008-08-14 19:27 <DIR> d-------- C:\ProgramData\BCR
2008-08-14 18:51 . 2008-08-14 18:51 <DIR> d-------- C:\Windows\System32\AGEIA
2008-08-14 18:51 . 2008-08-14 18:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 18:51 . 2008-08-14 18:51 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-14 18:50 . 2008-08-14 18:50 <DIR> d-------- C:\Program Files\Capcom
2008-08-14 18:15 . 2008-08-14 18:15 <DIR> d-------- C:\Users\Robert\AppData\Roaming\SystemGadgets
2008-08-14 17:18 . 2008-08-14 17:26 <DIR> d-------- C:\Windows\nvtmpinst
2008-08-13 16:30 . 2008-08-13 16:31 145 --a------ C:\Users\Robert\cleanup.reg
2008-08-13 03:02 . 2008-07-15 20:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 02:08 . 2008-06-26 20:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 02:08 . 2008-06-26 23:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 02:08 . 2008-06-18 22:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 02:08 . 2008-04-18 00:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 02:07 . 2008-04-10 00:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-12 19:58 . 2007-11-14 15:18 553 --a------ C:\Windows\USetup.iss
2008-08-12 19:56 . 2008-08-12 19:56 <DIR> d-------- C:\Windows\System32\RTCOM
2008-08-12 19:54 . 2008-08-12 19:54 <DIR> d-------- C:\Program Files\Realtek
2008-08-12 19:54 . 2008-05-19 18:25 1,933,312 --a------ C:\Windows\System32\MaxxAudioEQ.dll
2008-08-12 19:54 . 2008-07-29 15:42 528,384 --a------ C:\Windows\RtlExUpd.dll
2008-08-12 19:54 . 2008-08-12 19:54 319,488 --a------ C:\Windows\HideWin.exe
2008-08-12 19:54 . 2008-04-30 12:18 159,744 --a------ C:\Windows\System32\MaxxAudioAPO20.dll
2008-08-12 19:54 . 2008-05-13 17:52 143,360 --a------ C:\Windows\System32\FMAPO.dll
2008-08-12 19:54 . 2007-07-30 18:26 126,976 --a------ C:\Windows\System32\MaxxAudioAPO.dll
2008-08-12 18:46 . 2008-08-15 00:00 <DIR> d-------- C:\Program Files\SpeedFan
2008-08-12 18:46 . 2008-08-12 18:46 45 --a------ C:\Windows\System32\initdebug.nfo
2008-08-08 23:17 . 2008-08-08 23:17 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-08-06 06:15 . 2008-08-06 06:14 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-08-06 06:14 . 2008-08-16 12:25 <DIR> d-------- C:\Users\Robert\.housecall6.6
2008-08-05 19:59 . 2008-08-05 20:04 <DIR> d-------- C:\Program Files\RocketDock
2008-08-05 18:43 . 2008-08-05 18:43 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-08-05 16:16 . 2008-08-05 16:16 <DIR> d-------- C:\Users\All Users\Stardock
2008-08-05 16:16 . 2008-08-05 16:16 <DIR> d-------- C:\ProgramData\Stardock
2008-08-05 15:47 . 2008-08-05 21:08 <DIR> d-------- C:\Boot
2008-08-05 15:47 . 2008-01-19 02:45 333,203 --a------ C:\bootmgr
2008-08-05 15:33 . 2008-08-23 15:21 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-05 15:33 . 2008-08-23 15:21 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-04 23:48 . 2008-08-04 23:48 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-08-04 23:47 . 2008-08-04 23:47 <DIR> d-------- C:\Program Files\eRightSoft
2008-08-04 23:26 . 2008-08-04 23:26 <DIR> d-------- C:\Users\Robert\AppData\Roaming\AVS4YOU
2008-08-04 23:26 . 2008-08-04 23:26 <DIR> d-------- C:\Users\All Users\AVS4YOU
2008-08-04 23:26 . 2008-08-04 23:26 <DIR> d-------- C:\ProgramData\AVS4YOU
2008-08-04 23:25 . 2008-08-04 23:28 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-04 23:25 . 2008-08-04 23:28 <DIR> d-------- C:\Program Files\AVS4YOU
2008-08-04 23:25 . 2007-02-27 19:36 1,700,352 --a------ C:\Windows\System32\GdiPlus.dll
2008-08-04 23:25 . 2007-02-27 19:36 974,848 --a------ C:\Windows\System32\mfc70.dll
2008-08-04 23:25 . 2007-02-27 19:36 487,424 --a------ C:\Windows\System32\msvcp70.dll
2008-08-04 23:25 . 2007-02-27 19:36 24,576 --a------ C:\Windows\System32\msxml3a.dll
2008-08-04 23:20 . 2006-08-25 09:45 617,472 --a------ C:\Windows\System32\temp.002
2008-08-04 23:20 . 2004-08-03 23:56 343,040 --a------ C:\Windows\System32\temp.000
2008-08-04 23:20 . 2004-08-09 21:27 151,552 --a------ C:\Windows\System32\temp.001
2008-08-04 23:20 . 2005-02-04 10:21 40,960 --a------ C:\Windows\System32\FxHorizBtn.ocx
2008-08-04 23:20 . 2003-03-06 10:43 36,864 --a------ C:\Windows\System32\FxPanel.ocx
2008-08-04 23:20 . 2001-08-23 06:00 3,584 --a------ C:\Windows\System32\temp.003
2008-08-04 23:20 . 2000-06-13 00:00 2,493 --a------ C:\Windows\System32\COMCTL32.DEP
2008-08-04 23:19 . 2008-08-04 23:19 <DIR> d-------- C:\Users\Robert\AppData\Roaming\Download Manager
2008-08-04 20:54 . 1996-08-30 17:02 13,824 --a------ C:\Windows\System32\LAYOUT.DLL
2008-08-04 20:54 . 1996-06-25 06:46 518 --a------ C:\Windows\System32\LAYOUT.REG
2008-08-03 14:50 . 2008-08-03 14:50 0 --------- C:\Windows\WB.ini
2008-08-02 22:00 . 2008-08-02 22:28 <DIR> d-------- C:\Users\Robert\AppData\Roaming\Winamp
2008-08-02 22:00 . 2008-08-07 18:59 <DIR> d-------- C:\Program Files\Winamp Remote
2008-08-02 22:00 . 2008-08-07 18:50 <DIR> d-------- C:\Program Files\Winamp
2008-08-02 22:00 . 2007-03-07 18:51 129,784 --------- C:\Windows\System32\pxafs.dll
2008-07-26 12:48 . 2008-07-26 12:48 13,576,736 --a------ C:\Windows\System32\nvcpl.dll
2008-07-10 20:28 . 2008-06-25 20:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-10 20:28 . 2008-06-25 20:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-10 20:28 . 2008-06-25 22:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 18:28 --------- d-----w C:\Program Files\Steam
2008-08-23 17:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 21:32 --------- d-----w C:\ProgramData\NVIDIA
2008-08-20 08:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-14 23:51 --------- d-----w C:\Program Files\OpenAL
2008-08-13 08:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-13 08:03 --------- d-----w C:\Program Files\Windows Mail
2008-08-13 00:55 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-08-06 22:19 1,833,504 ----a-w C:\Windows\SkyTel.exe
2008-08-06 22:19 1,202,720 ----a-w C:\Windows\RtlUpd.exe
2008-08-06 22:18 6,265,376 ----a-w C:\Windows\RtHDVCpl.exe
2008-08-06 22:11 2,164,248 ----a-w C:\Windows\system32\drivers\RTKVHDA.sys
2008-08-05 20:43 --------- d-----w C:\ProgramData\Media Center Programs
2008-08-03 20:08 --------- d---a-w C:\ProgramData\TEMP
2008-08-03 20:04 --------- d-----w C:\Program Files\Common Files\Steam
2008-08-01 01:17 --------- d-----w C:\Users\Robert\AppData\Roaming\DAEMON Tools
2008-07-26 17:48 7,281,056 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2008-07-13 02:40 --------- d-----w C:\Program Files\Savage 2 - A Tortured Soul
2008-07-09 02:20 --------- d-----w C:\Program Files\Java
2008-07-08 14:33 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-06-29 19:32 --------- d-----w C:\Program Files\Diablo II
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-13 01:20 94,208 ----a-w C:\Windows\DIIUnin.exe
2008-05-13 01:20 2,829 ----a-w C:\Windows\DIIUnin.pif
2008-04-25 03:27 174 --sha-w C:\Program Files\desktop.ini
2006-05-03 09:06 163,328 --sh--r C:\Windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r C:\Windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-28_14.30.08.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-31 18:43:11 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-28 19:26:57 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-31 18:44:53 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-28 19:26:57 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-31 18:44:53 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-31 18:44:53 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-08-28 19:10:48 1,916,928 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-31 18:43:56 1,916,928 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-28 19:10:48 851,968 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-31 18:43:56 851,968 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-28 19:10:48 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-31 18:43:56 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-27 23:46:19 384,718 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-31 10:30:03 406,006 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-27 23:46:19 1,391,204 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-31 10:30:03 1,450,596 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-27 23:41:28 11,976 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-148177899-1021147868-3132030957-1000_UserData.bin
+ 2008-08-29 03:09:53 12,818 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-148177899-1021147868-3132030957-1000_UserData.bin
- 2008-08-27 23:41:28 84,712 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-29 03:09:53 85,370 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-04-22 18:18 1271032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 02:33 125952]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 02:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWPersistentQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE" [2007-08-24 03:18 437160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-08 09:33 1232152]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-07-26 12:48 13576736]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-07-26 12:48 92704]
"TMRUBottedTray"="C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 00:18 288088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-06 17:18 6265376 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
iReboot 1.0.0.lnk - C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe [2007-07-26 05:51:12 281600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-07-22 10:53 240376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"VIDC.XFR1"= xfcodec.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 04:39 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-148177899-1021147868-3132030957-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F2E90BEA-78E8-4B28-BF1F-46A12837034F}"= UDP:RPC|C:\Program Files\Microsoft Virtual Server\vssrvc.exe:Virtual Server
"TCP Query User{C047CB96-335B-4755-B868-FF1A1D16BA12}C:\\program files\\starcraft\\starcraft.exe"= UDP:C:\program files\starcraft\starcraft.exe:Starcraft
"UDP Query User{ECE46776-EA2B-49F3-92C3-B42ED5540A84}C:\\program files\\starcraft\\starcraft.exe"= TCP:C:\program files\starcraft\starcraft.exe:Starcraft
"TCP Query User{58F1497C-26F1-4C7F-A36E-CF090975C9F5}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= UDP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"UDP Query User{60E1E945-FCA4-4FD2-A924-0251531CEB37}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= TCP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"TCP Query User{08585456-4AC3-4FD1-AB9B-3E29269C099E}C:\\program files\\videolan\\vlc\\vlc.exe"= UDP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"UDP Query User{72838EF7-5B02-48E1-B1A4-4539546DB45B}C:\\program files\\videolan\\vlc\\vlc.exe"= TCP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"{8FC17F96-D1CE-4BA5-8862-70AC224B4348}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{08C5C278-BEAD-4C89-BAC4-7EC14B1C06AF}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{24341CA8-0ACC-4DCD-A28A-98CB3B7E4327}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{29E12118-C344-4EE6-AA0A-A0407019153E}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{FBF12439-0636-47D3-99C8-79DD74C44EB3}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{EFB2A98F-EC5E-4A1C-9B0A-F7C9CB5D3DF2}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{B8940F66-98BD-436D-BA2B-C8657FEAC72E}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= UDP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"UDP Query User{D20FAF7E-E3A6-48C5-99B8-7DFECC7B04ED}C:\\program files\\microsoft virtual pc\\virtual pc.exe"= TCP:C:\program files\microsoft virtual pc\virtual pc.exe:Virtual PC 2007
"{BA121A2F-F219-4988-9CB8-61352CC84233}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{748FCFE2-FE65-4934-AA60-2473270130F2}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A2F1D4EA-8234-45F1-84FE-E64A4E1D4EC6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D19813F8-3511-4901-965E-DA0D18CB3187}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{097E632E-800A-43D6-8B43-B38BD4A3DBC6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{085D20F2-BD9C-4A6D-9365-2913D96122C8}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{61DE26B8-F7B1-4631-96B7-8ED06776D121}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{2D911054-EC9A-4CF7-B397-E222C85E57CA}D:\\remote programs\\ea\\need for speed carbon\\nfsc.exe"= UDP:D:\remote programs\ea\need for speed carbon\nfsc.exe:NFSC
"UDP Query User{AA766D16-0433-45FE-BB42-996145412F5A}D:\\remote programs\\ea\\need for speed carbon\\nfsc.exe"= TCP:D:\remote programs\ea\need for speed carbon\nfsc.exe:NFSC
"TCP Query User{B7337A82-6711-4DDB-B0C7-711901737895}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7D628829-4140-4AB9-834A-8795E95AA996}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{3207507A-C03F-45E3-9FE2-C1CA2CAEA7FE}C:\\program files\\thq\\gas powered games\\supreme commander - forged alliance\\bin\\forgedalliance.exe"= UDP:C:\program files\thq\gas powered games\supreme commander - forged alliance\bin\forgedalliance.exe:Supreme Commander Forged Alliance Application
"UDP Query User{A6EC222C-02E0-47EF-A3CD-B06D3533753C}C:\\program files\\thq\\gas powered games\\supreme commander - forged alliance\\bin\\forgedalliance.exe"= TCP:C:\program files\thq\gas powered games\supreme commander - forged alliance\bin\forgedalliance.exe:Supreme Commander Forged Alliance Application
"{75C51C14-9DC5-4D10-9643-C4D013349C9B}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{37096941-E718-4CFC-BAF8-4862B39B9666}"= UDP:C:\Program Files\Capcom\Bionic Commando Rearmed\bcr.exe:Bionic Commando Rearmed
"{1140199F-2B06-45E9-8216-5028944EF184}"= TCP:C:\Program Files\Capcom\Bionic Commando Rearmed\bcr.exe:Bionic Commando Rearmed
"TCP Query User{E26D3BF7-69BF-40D5-8C09-3B2097C594AC}C:\\program files\\steam\\steamapps\\express5577@yahoo.com\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\express5577@yahoo.com\counter-strike source\hl2.exe:hl2
"UDP Query User{8E73308E-B455-4F86-AAA3-6DD7AF69B998}C:\\program files\\steam\\steamapps\\express5577@yahoo.com\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\express5577@yahoo.com\counter-strike source\hl2.exe:hl2

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-07-08 09:33]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 09:33]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 13:39]
R2 Virtual Server;Virtual Server;C:\Program Files\Microsoft Virtual Server\vssrvc.exe [2007-05-24 13:36]
R3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-08-03 14:30]
R3 TMPassthruMP;TMPassthruMP;C:\Windows\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
R3 vhdbus;Microsoft Virtual Server Storage Bus;C:\Windows\system32\DRIVERS\vhdbus.sys [2007-05-05 04:25]
R3 vmh;Virtual Machine Helper;C:\Program Files\Microsoft Virtual Server\vmh.exe [2007-05-24 13:36]
R3 X10Hid;X10 Hid Device;C:\Windows\system32\Drivers\x10hid.sys [2006-11-17 11:31]
S2 RUBotted;Trend Micro RUBotted Service;C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe [2007-12-19 00:18]
S3 msloop;Microsoft Loopback Adapter Driver;C:\Windows\system32\DRIVERS\loop.sys [2008-01-19 00:55]
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\Windows\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2008-08-31 C:\Windows\Tasks\User_Feed_Synchronization-{8C28E154-F323-4AD7-ADF2-57743A4D4198}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-19 02:33]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 13:44:58
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\wbload.dll

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\wbload.dll
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WBVista.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Windows\System32\PnkBstrA.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\Windows\System32\WUDFHost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedLite.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-08-31 13:49:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-31 18:49:38
ComboFix2.txt 2008-08-28 19:30:29

Pre-Run: 9,543,290,880 bytes free
Post-Run: 13,391,097,856 bytes free

327 --- E O F --- 2008-08-20 08:00:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:31 PM, on 8/31/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: iReboot 1.0.0.lnk = C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.Robert-PC (HKLM)
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 7800 bytes
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm

Re: random sounds (thunder/voices) comming from comp

Unread postby Shaba » September 1st, 2008, 2:57 am

Right-click your favorite web browser and choose run as administrator.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: random sounds (thunder/voices) comming from comp

Unread postby rlindeman » September 4th, 2008, 2:12 am

here are the logs... Im starting to think a full reinstall may be the best option because my computer keeps crashing before a full scan finishes. Windows blames it on a sata driver error...but I have tried several fixes for that issue, none of which have fixed it. This scan was based on critical areas...

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 4, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 04, 2008 04:04:07
Records in database: 1189769
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows
Scan statistics
Files scanned 84530
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 00:39:04

File name Threat name Threats count
C:\Windows\System32\cfexfst.sys Infected: Trojan-Clicker.Win32.VB.blo 1
C:\Windows\System32\fduvfct.sys Infected: Trojan-Clicker.Win32.VB.bwh 1
The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:25 AM, on 9/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
D:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: iReboot 1.0.0.lnk = C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.Robert-PC (HKLM)
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 7445 bytes
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm

Re: random sounds (thunder/voices) comming from comp

Unread postby Shaba » September 4th, 2008, 3:50 am

Yes, that error doesn't sound good.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\Windows\System32\cfexfst.sys 
    C:\Windows\System32\fduvfct.sys 
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: random sounds (thunder/voices) comming from comp

Unread postby rlindeman » September 4th, 2008, 11:08 pm

C:\Windows\System32\cfexfst.sys moved successfully.
C:\Windows\System32\fduvfct.sys moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09042008_220816
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm

Re: random sounds (thunder/voices) comming from comp

Unread postby Shaba » September 5th, 2008, 3:11 am

Let's run another scan to be sure.

If no go in normal, you may try also in safe mode.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: random sounds (thunder/voices) comming from comp

Unread postby rlindeman » September 8th, 2008, 10:07 pm

Malwarebytes' Anti-Malware 1.27
Database version: 1130
Windows 6.0.6001 Service Pack 1

9/8/2008 9:06:32 PM
mbam-log-2008-09-08 (21-06-32).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 196573
Time elapsed: 1 hour(s), 10 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)
sheesh! it never ends!


Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Windows\System32\AFinding.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\macidwe.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\Nobicyt.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\routing.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\roxtctm.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\sobicyt.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\tdxdowkc.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\WServing.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm

Re: random sounds (thunder/voices) comming from comp

Unread postby Shaba » September 9th, 2008, 8:18 am

OK, that looks fine.

Still some issues left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: random sounds (thunder/voices) comming from comp

Unread postby rlindeman » September 9th, 2008, 3:22 pm

nope. As far as I have seen there haven't been any other issues. Thank you so much for your help!!
rlindeman
Regular Member
 
Posts: 15
Joined: August 25th, 2008, 10:16 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware