Free Malware Removal Forum

[Th3KaNgSt3R]

Something just started today that's really annoying. Whenever I go to google or some other major search engine it redirects me to a site called ffsearcher or something. When I search something it lists the search results and when I click one it usually takes me to a site called lightmedia or some other ad site.

Heres the scan from HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:50 AM, on 6/16/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE
C:\Users\sanhanin\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\RegCure\regcure.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] C:\PROGRA~1\MICROS~3\Office14\GROOVEMN.EXE
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\sanhanin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [] C:\Users\sanhanin\AppData\Local\Temp\o39q7uc0.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\Users\sanhanin\AppData\Local\Temp\o39q7uc0.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\Users\sanhanin\AppData\Local\Temp\login.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WallpaperSS] C:\Program Files\WallpaperSS\WallpaperSS.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: OfficeSAS.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Application Experience AeLookupSvcALG (AeLookupSvcALG) - Unknown owner - C:\Windows\system32\f.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8216 bytes
I've already scanned it with malwarebytes vipre and adaware and it still hasn't fixed it

[Shaba]

Hi Th3KaNgSt3R

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

[Th3KaNgSt3R]

Hey thanks for the help so far .

Heres the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:07 PM, on 6/19/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE
C:\Users\sanhanin\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\hp\kbd\kbd.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sanhanin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] C:\PROGRA~1\MICROS~3\Office14\GROOVEMN.EXE
O4 - HKCU\..\Run: [Google Update] "C:\Users\sanhanin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: OfficeSAS.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6555 bytes


And heres the ComboFix log:

ComboFix 09-06-18.02 - sanhanin 06/19/2009 12:47.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.460 [GMT -7:00]
Running from: c:\users\sanhanin\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Outdated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Sunbelt VIPRE *disabled* (Outdated) {9817B764-AE4E-4B29-AEE7-725B7A50BD48}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-4176474357-2021797294-3589835384-500
c:\$recycle.bin\S-1-5-21-517598597-2044576067-1855070888-1000
c:\$recycle.bin\S-1-5-21-517598597-2044576067-1855070888-500
C:\juxdjt.exe
c:\program files\podmena
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500\desktop.ini
c:\$recycle.bin\S-1-5-21-4176474357-2021797294-3589835384-500\desktop.ini
c:\$recycle.bin\S-1-5-21-517598597-2044576067-1855070888-1000\desktop.ini
c:\$recycle.bin\S-1-5-21-517598597-2044576067-1855070888-500\desktop.ini
c:\program files\podmena\podmena.dll
c:\program files\podmena\podmena.sys
c:\windows\zaponce53290.dat
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PODMENADRV
-------\Service_podmena
-------\Service_podmenadrv


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 19:57 . 2009-06-19 19:57 -------- d-----w- C:\WTablet
2009-06-19 19:54 . 2009-06-19 19:57 -------- d-----w- c:\users\sanhanin\AppData\Local\temp
2009-06-19 18:56 . 2009-06-19 18:56 -------- d-----w- c:\users\sanhanin\AppData\Roaming\Nexon
2009-06-19 18:45 . 2009-06-19 18:45 -------- d-----w- c:\programdata\TuneUp Software
2009-06-19 18:41 . 2009-06-19 18:41 -------- d-----w- c:\users\sanhanin\AppData\Roaming\TuneUp Software
2009-06-19 18:40 . 2009-06-19 18:41 -------- d-----w- c:\program files\Windows MatriX Tune Up
2009-06-17 18:25 . 2008-01-19 07:34 15872 ----a-w- c:\windows\system32\hcrstco.dll
2009-06-16 18:22 . 2009-06-16 18:27 -------- d-----w- c:\program files\RegCure
2009-06-16 18:18 . 2009-06-16 18:18 -------- d-----w- c:\program files\Zone Labs
2009-06-16 18:18 . 2009-06-16 18:18 -------- d-----w- c:\programdata\CheckPoint
2009-06-16 18:17 . 2009-06-16 18:18 -------- d-----w- c:\windows\Internet Logs
2009-06-16 17:36 . 2006-11-02 09:39 15821312 ----a-w- c:\windows\system32\imageres.dll
2009-06-16 03:31 . 2009-06-16 03:31 -------- d-----w- c:\users\sanhanin\AppData\Roaming\WallpaperSS
2009-06-16 03:05 . 2009-06-17 18:49 -------- d-----w- c:\program files\MP3 WAV Converter
2009-06-16 01:33 . 2009-06-16 01:33 229888 ----a-w- c:\windows\system32\msshsq.dll
2009-06-15 22:09 . 2009-06-15 22:09 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-06-15 22:09 . 2009-06-15 22:09 -------- d-----w- c:\windows\PCHEALTH
2009-06-15 22:09 . 2009-06-15 22:09 -------- d-----w- c:\program files\Microsoft.NET
2009-06-15 22:09 . 2009-06-15 22:09 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-06-15 22:09 . 2009-06-15 22:09 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-06-15 22:08 . 2009-06-15 22:08 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-15 22:07 . 2009-06-15 22:07 -------- d-----w- c:\program files\Microsoft Analysis Services
2009-06-15 22:06 . 2009-06-15 22:06 -------- d-----w- c:\users\sanhanin\AppData\Local\Microsoft Help
2009-06-15 22:05 . 2009-06-15 22:14 -------- d-----w- c:\programdata\Microsoft Help
2009-06-15 22:04 . 2009-06-15 22:04 -------- d--h--r- C:\MSOCache
2009-06-15 03:27 . 2009-06-15 03:27 34816 ----a-w- c:\users\sanhanin\AppData\Roaming\Thinstall\LimeWire PRO 5.1.3\1000000900002i\mfpmp.exe
2009-06-15 03:27 . 2009-06-15 03:27 34816 ----a-w- c:\users\sanhanin\AppData\Roaming\Thinstall\LimeWire PRO 5.1.3\10000002c00002i\wmplayer.exe
2009-06-15 02:38 . 2009-06-19 18:37 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-15 02:36 . 2009-06-19 18:37 -------- d-----w- c:\programdata\Lavasoft
2009-06-14 23:22 . 2009-06-14 23:22 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-14 23:22 . 2009-06-14 23:22 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-14 23:22 . 2009-06-14 23:22 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-14 23:22 . 2009-06-14 23:22 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-14 23:22 . 2009-06-14 23:22 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-14 23:22 . 2009-06-14 23:22 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-14 23:22 . 2009-06-14 23:22 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-14 22:47 . 2009-06-14 22:47 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-06-14 22:47 . 2009-06-14 22:47 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-06-14 22:47 . 2009-06-14 22:47 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-14 22:46 . 2009-06-14 22:46 268800 ----a-w- c:\windows\system32\es.dll
2009-06-14 02:22 . 2007-07-23 16:23 21632 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-06-14 02:22 . 2007-07-23 16:23 19840 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2009-06-14 02:22 . 2007-07-23 16:23 12416 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-06-14 02:22 . 2009-06-14 02:22 -------- d-----w- c:\program files\LG Electronics
2009-06-14 02:22 . 2009-06-14 02:22 -------- d-----w- c:\program files\Verizon Wireless
2009-06-14 02:19 . 2009-06-14 02:19 -------- d-----w- c:\program files\BitPim
2009-06-14 01:53 . 2009-06-14 01:53 -------- d-----w- c:\program files\Audacity
2009-06-14 00:46 . 2009-06-14 00:46 34816 ----a-w- c:\users\sanhanin\AppData\Roaming\Thinstall\LimeWire PRO 5.1.3\1000000900003i\ipconfig.exe
2009-06-13 17:18 . 2009-06-13 17:19 -------- d-----w- c:\programdata\NVIDIA
2009-06-13 16:29 . 2009-06-13 17:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-13 16:29 . 2009-06-13 16:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-13 16:05 . 2009-06-19 18:37 -------- d-----w- c:\program files\Ace Utilities
2009-06-13 15:36 . 2009-06-13 15:36 223232 ----a-w- c:\windows\system32\SLC.dll
2009-06-13 15:36 . 2009-06-13 15:36 268288 ----a-w- c:\windows\system32\mcbuilder.exe
2009-06-13 15:36 . 2009-06-13 15:36 33280 ----a-w- c:\windows\system32\slwmi.dll
2009-06-13 15:36 . 2009-06-13 15:36 566784 ----a-w- c:\windows\system32\SLCommDlg.dll
2009-06-13 15:36 . 2009-06-13 15:36 351232 ----a-w- c:\windows\system32\SLUI.exe
2009-06-13 15:36 . 2009-06-13 15:36 186368 ----a-w- c:\windows\system32\SLLUA.exe
2009-06-13 15:36 . 2009-06-13 15:36 57856 ----a-w- c:\windows\system32\SLUINotify.dll
2009-06-13 15:36 . 2009-06-13 15:36 2605568 ----a-w- c:\windows\system32\SLsvc.exe
2009-06-13 15:36 . 2009-06-13 15:36 39936 ----a-w- c:\windows\system32\slcinst.dll
2009-06-13 15:32 . 2009-06-13 15:32 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-06-13 15:32 . 2009-06-13 15:32 712192 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-06-13 15:32 . 2009-06-13 15:32 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-06-13 15:31 . 2009-06-13 15:31 441856 ----a-w- c:\windows\system32\win32spl.dll
2009-06-13 15:31 . 2009-06-13 15:31 37376 ----a-w- c:\windows\system32\printcom.dll
2009-06-13 15:30 . 2009-06-13 15:30 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-06-13 15:30 . 2009-06-13 15:30 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-06-13 15:29 . 2009-06-13 15:29 11776 ----a-w- c:\windows\system32\sbunattend.exe
2009-06-13 15:27 . 2009-06-13 15:27 290304 ----a-w- c:\windows\system32\drivers\srv.sys
2009-06-13 15:27 . 2009-02-11 19:48 109088 ----a-w- c:\windows\RTKAUDIOSERVICE.EXE
2009-06-13 15:25 . 2009-06-13 15:25 83968 ----a-w- c:\windows\system32\dnsrslvr.dll
2009-06-13 15:25 . 2009-06-13 15:25 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2009-06-13 15:24 . 2007-11-08 00:31 1191936 ----a-w- c:\windows\RtlUpd.exe
2009-06-13 15:24 . 2007-07-25 16:33 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2009-06-13 15:24 . 2006-12-13 17:30 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2009-06-13 15:24 . 2008-01-15 18:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
2009-06-13 15:24 . 2009-06-13 15:24 315392 ----a-w- c:\windows\HideWin.exe
2009-06-13 15:24 . 2009-06-13 15:24 269824 ----a-w- c:\windows\system32\schannel.dll
2009-06-13 15:17 . 2009-06-13 15:17 -------- d-----w- c:\users\sanhanin\AppData\Roaming\WinBatch
2009-06-13 02:39 . 2009-06-13 02:39 -------- d-----w- c:\users\sanhanin\AppData\Roaming\GRETECH
2009-06-13 02:39 . 2009-06-13 02:39 -------- d-----w- c:\program files\GRETECH
2009-06-13 00:24 . 2008-04-26 22:14 58792 ----a-w- c:\windows\system32\wbload.dll
2009-06-13 00:24 . 2008-04-26 22:14 42672 ----a-w- c:\windows\system32\wbsys.dll
2009-06-12 22:41 . 2009-06-12 22:41 -------- d-----w- c:\program files\Trend Micro
2009-06-12 21:23 . 2009-06-12 21:23 -------- d-----w- c:\users\sanhanin\AppData\Roaming\Malwarebytes
2009-06-12 21:23 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 21:23 . 2009-06-12 21:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 21:23 . 2009-06-12 21:23 -------- d-----w- c:\programdata\Malwarebytes
2009-06-12 21:23 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 19:39 . 2009-06-12 19:39 -------- d-----w- c:\users\sanhanin\AppData\Roaming\AdobeUM
2009-06-12 19:39 . 2009-06-12 19:39 3072 ----a-w- C:\jyvuulhc.exe
2009-06-12 19:38 . 2009-06-12 19:38 179 ----a-w- C:\d45.bat
2009-06-12 19:38 . 2009-06-12 19:39 -------- d-----w- c:\users\sanhanin\AppData\Local\Adobe
2009-06-12 18:57 . 2009-06-12 18:57 -------- d-----w- c:\windows\Sun
2009-06-12 18:00 . 2009-06-12 18:00 -------- d-----w- c:\users\Administrator\AppData\Local\Hewlett-Packard
2009-06-12 18:00 . 2009-06-12 18:00 -------- d-----w- c:\users\Administrator\AppData\Roaming\Hewlett-Packard
2009-06-12 17:59 . 2009-06-12 21:12 72192 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-12 17:59 . 2009-06-12 17:59 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sunbelt
2009-06-12 17:43 . 2009-05-13 15:23 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\NAVEX15.SYS
2009-06-12 17:43 . 2009-05-13 15:23 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\NAVEX32A.DLL
2009-06-12 17:43 . 2009-05-13 15:23 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\NAVENG.SYS
2009-06-12 17:43 . 2009-05-13 15:23 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\EECTRL.SYS
2009-06-12 17:43 . 2009-05-13 15:23 259368 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\ECMSVR32.DLL
2009-06-12 17:43 . 2009-05-13 15:23 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\NAVENG32.DLL
2009-06-12 17:43 . 2009-05-13 15:23 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\ERASER.SYS
2009-06-12 17:43 . 2009-05-13 15:23 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20090612.003\CCERASER.DLL
2009-06-12 17:37 . 2009-06-12 17:44 -------- d-----w- c:\users\sanhanin\AppData\Roaming\Skype
2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\users\sanhanin\AppData\Roaming\Sunbelt
2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\programdata\Sunbelt
2009-06-12 17:33 . 2009-05-13 15:23 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\NAVEX32A.DLL
2009-06-12 17:33 . 2009-05-13 15:23 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\NAVENG.SYS
2009-06-12 17:33 . 2009-05-13 15:23 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\NAVEX15.SYS
2009-06-12 17:33 . 2009-05-13 15:23 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\NAVENG32.DLL
2009-06-12 17:33 . 2009-05-13 15:23 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\EECTRL.SYS
2009-06-12 17:33 . 2009-05-13 15:23 259368 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\ECMSVR32.DLL
2009-06-12 17:33 . 2009-05-13 15:23 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\ERASER.SYS
2009-06-12 17:33 . 2009-05-13 15:23 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp434d.tmp\CCERASER.DLL
2009-06-12 17:31 . 2009-06-12 09:16 1317 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp1d6d.tmp\cur.scr
2009-06-12 17:29 . 2008-10-09 17:21 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2009-06-12 17:29 . 2009-06-12 17:29 -------- d-----w- c:\program files\Sunbelt Software
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\programdata\Stardock
2009-06-12 17:26 . 2007-06-05 18:26 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2009-06-12 17:25 . 2009-06-12 17:25 34816 ----a-w- c:\users\sanhanin\AppData\Roaming\Thinstall\LimeWire PRO 5.1.3\1000000600002i\verclsid.exe
2009-06-12 17:22 . 2009-06-17 18:30 -------- d-----w- c:\users\sanhanin\AppData\Roaming\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 17:32 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-18 18:47 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-18 18:47 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-18 18:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-18 18:47 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-18 18:47 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-18 18:47 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-18 18:47 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-18 18:45 . 2009-06-18 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-18 18:40 . 2006-11-02 10:32 101376 ----a-w- c:\windows\system32\ifxcardm.dll
2009-06-18 18:39 . 2006-11-02 10:32 79872 ----a-w- c:\windows\system32\axaltocm.dll
2009-06-16 01:33 . 2007-01-10 00:43 -------- d-----w- c:\program files\Microsoft Works
2009-06-15 22:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2009-06-14 06:17 . 2009-06-12 17:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\WTablet
2009-06-14 02:22 . 2007-01-10 00:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-14 02:22 . 2007-01-10 00:35 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-13 15:24 . 2007-01-10 00:35 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-06-13 15:24 . 2007-01-10 00:35 -------- d-----w- c:\program files\Realtek
2009-06-12 19:30 . 2007-01-10 00:49 -------- d-----w- c:\program files\Yahoo!
2009-06-12 19:29 . 2007-01-10 00:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-12 19:24 . 2007-01-10 00:51 -------- d-----w- c:\programdata\Symantec
2009-06-12 17:02 . 2007-01-10 00:39 -------- d-----w- c:\programdata\WildTangent
2009-06-12 17:02 . 2007-01-10 00:36 -------- d-----w- c:\program files\HP Games
2009-06-12 10:24 . 2009-06-12 10:24 1793536 ----a-w- c:\windows\system32\NlsLexicons0045.dll
2009-06-12 10:19 . 2009-06-12 10:19 613888 ----a-w- c:\windows\system32\wpd_ci.dll
2009-06-12 09:39 . 2009-06-12 09:39 72704 ----a-w- c:\windows\system32\admparse.dll
2009-06-12 09:39 . 2009-06-12 09:39 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-12 09:39 . 2009-06-12 09:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 09:39 . 2009-06-12 09:39 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-06-12 09:39 . 2009-06-12 09:39 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-06-12 09:39 . 2009-06-12 09:39 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-06-12 08:13 . 2009-06-12 08:12 1820 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_RQ404AA-ABA a1742n_YC_0Pavi_QMXX703_E71NAv3PrA4_49_INODUSM3_SASUSTek Computer INC._V1.05_B5.04_T061215_WUH0_L409_M895_J320_7AMD_8Athlon 64 X2 Dual Core_92_#070322_N10DE0269_Z14F12F20_G10DE0241.MRK
2009-06-12 07:36 . 2007-01-10 01:05 -------- d-----w- c:\programdata\Hewlett-Packard
2009-06-12 07:25 . 2009-06-12 07:25 -------- d-sh--we c:\programdata\Templates
2009-06-12 07:25 . 2009-06-12 07:25 -------- d-sh--we c:\programdata\Start Menu
2009-06-12 07:25 . 2009-06-12 07:25 -------- d-sh--we c:\programdata\Favorites
2009-06-12 07:25 . 2009-06-12 07:25 -------- d-sh--we c:\programdata\Documents
2009-06-12 07:25 . 2009-06-12 07:25 -------- d-sh--we c:\programdata\Desktop
2009-05-13 15:23 . 2007-01-10 00:54 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\eeCtrl.sys
2009-05-13 15:23 . 2007-01-10 00:54 101936 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.sys
2009-05-13 15:23 . 2007-01-10 00:54 89104 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng.sys
2009-05-13 15:23 . 2007-01-10 00:54 876144 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex15.sys
2009-05-13 15:23 . 2007-01-10 00:54 259368 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ecmsvr32.dll
2009-05-13 15:23 . 2007-01-10 00:54 2414128 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll
2009-05-13 15:23 . 2007-01-10 00:54 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng32.dll
2009-05-13 15:23 . 2007-01-10 00:54 1181040 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex32a.dll
2009-04-30 20:56 . 2009-04-30 20:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-04-17 20:53 . 2009-04-17 20:53 40960 ----a-w- c:\windows\system32\VBAME.DLL
2009-04-08 22:49 . 2009-04-08 22:49 1064296 ----a-w- c:\windows\system32\WebServices.dll
2009-04-08 22:37 . 2009-04-08 22:37 4319136 ----a-w- c:\windows\system32\OSPPSVC.EXE
2009-04-08 22:37 . 2009-04-08 22:37 192432 ----a-w- c:\windows\system32\OSPPRUN.EXE
2009-04-08 22:37 . 2009-04-08 22:37 1423256 ----a-w- c:\windows\system32\OSPPOBJS.DLL
2009-04-08 22:37 . 2009-04-08 22:37 1156016 ----a-w- c:\windows\system32\OSPPCEXT.DLL
2009-04-08 22:37 . 2009-04-08 22:37 110472 ----a-w- c:\windows\system32\OSPPC.DLL
2009-04-08 22:37 . 2009-04-08 22:37 114568 ----a-w- c:\windows\system32\wbem\OSPPWMI.DLL
2009-04-08 22:26 . 2009-04-08 22:26 31616 ----a-w- c:\windows\system32\FM20ENU.DLL
2009-04-08 22:26 . 2009-04-08 22:26 1204072 ----a-w- c:\windows\system32\FM20.DLL
2009-03-27 10:13 . 2009-03-27 10:13 761152 ----a-w- c:\windows\system32\msvcr100.dll
2009-03-27 10:13 . 2009-03-27 10:13 425296 ----a-w- c:\windows\system32\msvcp100.dll
2009-03-27 10:13 . 2009-03-27 10:13 250704 ----a-w- c:\windows\system32\msvcm100.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-04-08 23:05 739688 ----a-w- c:\progra~1\MICROS~3\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\sanhanin\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-06-12 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-12 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-06-10 959784]
"GrooveMonitor"="c:\progra~1\MICROS~3\Office14\GROOVEMN.EXE" [2009-04-26 875392]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-1-9 34520]
OfficeSAS.lnk - c:\program files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe [2009-4-8 122264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D3CB7BCA-2A55-476D-9469-3B3078F00DC5}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{E0CA1319-A0F9-49FB-AEAC-0EF89D7030E3}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{5FB38725-ECD7-465C-A88B-E6B4CD69705E}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{CBA57245-AA14-4C25-A257-FDDB902B47D9}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{D9237460-F2FD-47A4-B3FB-9395A13A0EC1}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{31980B3F-A038-4371-A9C4-052FBE28D838}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{71966ED2-68A6-4085-B724-43808D160F5E}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{09CEA97C-C3D5-40D4-881C-2477E2BBD722}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EF7B4E1D-E9F5-4C97-974A-AA7D53D774E1}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{DAF5A5F6-1E4C-4488-849D-EE15AC1BBFC1}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{FA921A27-FE78-48A6-B47B-40565ACACF98}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6538BE25-A5AF-4017-96CB-56A47A1FB704}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D2265865-18A5-4555-B9B9-E1B56E24D98B}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5EADA479-CAA6-43FA-9DF5-E8B2FA286FFD}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{46DEAF41-03DC-4EE6-A34A-08BD01861A4C}"= UDP:c:\program files\Microsoft Office\Office14\GROOVE.EXE:Microsoft SharePoint Workspace
"{E75255B6-99F4-4D27-882F-A2AF1F5284DF}"= TCP:c:\program files\Microsoft Office\Office14\GROOVE.EXE:Microsoft SharePoint Workspace
"{B757CBB2-6863-442E-8830-1559765DBC63}"= UDP:c:\program files\Microsoft Office\Office14\ONENOTE.EXE:Microsoft Office OneNote
"{C073352E-F3F1-4FF4-98C2-EECCC53C4BE2}"= TCP:c:\program files\Microsoft Office\Office14\ONENOTE.EXE:Microsoft Office OneNote
"{A3052AE2-EE6E-436F-8AA5-F2BE862EC714}"= TCP:6004|c:\program files\Microsoft Office\Office14\outlook.exe:Microsoft Office Outlook
"{E00FCECA-533D-4915-B70E-22F9DA1A337F}"= UDP:c:\users\sanhanin\Desktop\LimeWire PRO 5.1.3.exe:LimeWire
"{092B6AAE-20D3-45CB-92D4-65D71DDCFD8B}"= TCP:c:\users\sanhanin\Desktop\LimeWire PRO 5.1.3.exe:LimeWire
"TCP Query User{19AA227A-3A79-4CDA-9DAE-CC713903D121}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{2EC5730A-2233-4790-AC7C-CB9EAEDC1B21}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 sbtis;sbtis;c:\windows\System32\drivers\sbtis.sys [6/12/2009 10:29 AM 202928]
R2 osppsvc;Office Software Protection Platform;c:\windows\System32\OSPPSVC.EXE [4/8/2009 3:37 PM 4319136]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [6/10/2009 6:00 AM 980264]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [6/13/2009 9:29 AM 1153368]
R2 TabletServicePen;TabletServicePen;c:\windows\System32\Pen_Tablet.exe [6/12/2009 2:11 AM 3032360]
R3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\System32\drivers\AGUx86.sys [8/6/2008 6:09 PM 905728]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\System32\drivers\wacmoumonitor.sys [6/12/2009 2:11 AM 15144]
S2 AeLookupSvcALG;Application Experience AeLookupSvcALG; [x]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [4/25/2009 6:18 PM 33480048]

--- Other Services/Drivers In Memory ---

*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
.
Contents of the 'Scheduled Tasks' folder

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-517598597-2044576067-1855070888-1000.job
- c:\users\sanhanin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-12 17:06]

2009-06-19 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 18:23]

2009-06-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 18:23]

2009-06-19 c:\windows\Tasks\User_Feed_Synchronization-{B2BDD502-2609-4C28-AC6C-578A469927F8}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-<NO NAME> - (no file)
HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: S&end to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: {{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 12:57
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\rundll32.exe
c:\program files\Microsoft Office\Office14\GROOVEMN.EXE
c:\program files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe
c:\program files\Common Files\microsoft shared\ink\InputPersonalization.exe
c:\hp\KBD\kbd.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-06-19 13:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 20:02

Pre-Run: 255,941,361,664 bytes free
Post-Run: 254,720,905,216 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
377 --- E O F --- 2009-06-19 17:27

[Shaba]

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:



5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

[Th3KaNgSt3R]

Hey thanks for all the help but it started to work right after I scanned it with combofix....kinda strange but its good now so I don't need any more help but thanks again!

[Shaba]

We are not done.

Please follow my previous instructions

[Th3KaNgSt3R]

Ok heres the list:

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Audacity 1.2.6
DivX
Enhanced Multimedia Keyboard Solution
GOM Player
Hardware Diagnostic Tools
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Connections (remove only)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
Java(TM) 6 Update 14
LG USB Modem driver
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MP3 WAV Converter 3.98
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
My HP Games
NVIDIA Drivers
Pen Tablet
Python 2.4.3
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Skype™ Beta 4.1
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VZAccess Manager
Windows MatriX Tune Up v3100
WinRAR archiver

[Shaba]

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

  File::
  c:\users\sanhanin\Desktop\LimeWire PRO 5.1.3.exe
  
  Folder::
  c:\users\sanhanin\AppData\Roaming\Thinstall\LimeWire PRO 5.1.3
  c:\users\sanhanin\AppData\Roaming\LimeWire
  
  Registry::
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
  "{E00FCECA-533D-4915-B70E-22F9DA1A337F}"=-
  "{092B6AAE-20D3-45CB-92D4-65D71DDCFD8B}"=-
  

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[Shaba]

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.