Solved Note pad and UAC problem in Vista

tez.1 · 2007/11/22

[Resolved] Note pad and UAC problem in Vista

Hi to you all

I have a problem with my Vista Laptop

when I connect to the internet after a few mins a chineese text notepad opens.
Also if I enable UAC in vista i get webpages that open on there own. I have Norton 360 and Adaware all find nothing.

Log is here
Logfile of HijackThis v1.99.1
Scan saved at 08:47:27, on 22/11/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Users\Terry\Program Files\BitTorrent_DNA\dna.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\cmd.exe
C:\Windows\system32\orrx.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Terry\Desktop\hijackthis_sfx\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [\\Livingroom\EPSON Stylus Photo RX560 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\E_S2A50.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [EPSON Stylus Photo RX560 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Windows\TEMP\E_S2EAE.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [EPSON Stylus Photo RX560 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\E_S8630.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Terry\Program Files\BitTorrent_DNA\dna.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: ccEvtMgr - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ccSetMgr - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Please Help as it driving me round the Bend

tez.1 · 2007/11/22

Just for info

If I turn on the UAC in the security panel when I start up windows it gos to these web sites all on its own

http://www.ip530.com/cq.htm?1

http://dir.oe365.com/other/mian.htm

http://poiusd0flk3mn7tyr.hitempaya.cn/openie.html

http://www.vc18.cn/zs/800town/index.htm

http://dofus.com

If I turn off the UAC they stop and only the notepad opens

Terry

tez.1 · 2007/11/22

Updated scan

Deckard's System Scanner v20071014.68
Run by Terry on 2007-11-22 18:12:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Terry.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:34, on 22/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Users\Terry\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Terry\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Terry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [\\Livingroom\EPSON Stylus Photo RX560 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\E_S2A50.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [EPSON Stylus Photo RX560 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Windows\TEMP\E_S2EAE.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [EPSON Stylus Photo RX560 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\E_S8630.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Terry\Program Files\BitTorrent_DNA\dna.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe "
O4 - HKLM\..\Policies\Explorer\Run: [compmgmt] C:\Windows\system32\CTFM0N.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10807 bytes

-- Files created between 2007-10-22 and 2007-11-22 -----------------------------

2007-11-22 18:11:29 0 d-------- C:\Program Files\Trend Micro
2007-11-22 17:43:22 0 d-------- C:\Users\All Users\Kaspersky Lab
2007-11-22 17:43:21 0 d-------- C:\Windows\system32\Kaspersky Lab
2007-11-22 17:32:08 0 d-------- C:\Program Files\Add Remove Pro
2007-11-22 14:47:19 29729 --a------ C:\Windows\system32\Indt2.sys
2007-11-22 08:41:19 0 d-------- C:\Users\All Users\Lavasoft
2007-11-22 08:41:19 0 d-------- C:\Program Files\Lavasoft
2007-11-22 08:40:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-21 08:39:31 50960 --a------ C:\Windows\system32\orrx.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2007-11-20 16:31:37 0 d-------- C:\Windows\Sun
2007-11-20 10:09:04 0 d-------- C:\Program Files\Driving Test Success 2006-2007
2007-11-19 20:53:01 0 d-------- C:\Program Files\KellySoftware
2007-11-19 15:44:59 256512 --a------ C:\Windows\system32\ndt2.sys
2007-11-19 10:28:12 0 d-------- C:\Users\All Users\WebEx
2007-11-18 22:44:18 0 -rahs---- C:\MSDOS.SYS
2007-11-18 22:44:18 0 -rahs---- C:\IO.SYS
2007-11-18 18:11:36 0 d-------- C:\Users\All Users\Driving Test Success
2007-11-18 17:15:41 0 d-------- C:\Program Files\MagicDVDRipper
2007-11-18 16:41:34 0 d-------- C:\Users\All Users\DVD Shrink
2007-11-18 16:41:13 0 d-------- C:\Program Files\DVD Shrink
2007-11-17 17:25:59 28160 --a------ C:\Windows\system32\CTFM0N.EXE
2007-11-10 19:01:57 18816 --a------ C:\Windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free>
2007-11-10 19:01:57 0 d-------- C:\Program Files\dvd43
2007-11-04 19:42:09 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-10-26 14:38:42 0 d-------- C:\Program Files\EPSON Print CD
2007-10-24 14:56:42 0 d-------- C:\Users\All Users\UDL
2007-10-24 14:54:39 111932 --a------ C:\Windows\system32\EPPICPrinterDB.dat
2007-10-24 14:54:39 1139 --a------ C:\Windows\system32\EPPICPresetData_PT.dat
2007-10-24 14:54:39 1120 --a------ C:\Windows\system32\EPPICPresetData_IT.dat
2007-10-24 14:54:39 1107 --a------ C:\Windows\system32\EPPICPresetData_GE.dat
2007-10-24 14:54:39 1129 --a------ C:\Windows\system32\EPPICPresetData_FR.dat
2007-10-24 14:54:39 1136 --a------ C:\Windows\system32\EPPICPresetData_ES.dat
2007-10-24 14:54:39 1104 --a------ C:\Windows\system32\EPPICPresetData_EN.dat
2007-10-24 14:54:39 1146 --a------ C:\Windows\system32\EPPICPresetData_DU.dat
2007-10-24 14:54:39 1129 --a------ C:\Windows\system32\EPPICPresetData_CF.dat
2007-10-24 14:54:39 1139 --a------ C:\Windows\system32\EPPICPresetData_BP.dat
2007-10-24 14:54:39 4943 --a------ C:\Windows\system32\EPPICPattern6.dat
2007-10-24 14:54:39 21390 --a------ C:\Windows\system32\EPPICPattern5.dat
2007-10-24 14:54:39 11811 --a------ C:\Windows\system32\EPPICPattern4.dat
2007-10-24 14:54:39 24903 --a------ C:\Windows\system32\EPPICPattern3.dat
2007-10-24 14:54:39 20148 --a------ C:\Windows\system32\EPPICPattern2.dat
2007-10-24 14:54:39 31053 --a------ C:\Windows\system32\EPPICPattern131.dat
2007-10-24 14:54:39 27417 --a------ C:\Windows\system32\EPPICPattern121.dat
2007-10-24 14:54:39 26154 --a------ C:\Windows\system32\EPPICPattern1.dat
2007-10-24 14:50:32 0 d-------- C:\Program Files\EPSON
2007-10-24 14:50:24 0 d-------- C:\Users\All Users\EPSON
2007-10-22 10:58:53 61440 -----n--- C:\Windows\system32\WanPacket.dll <Not Verified; CACE Technologies; WinPcap low level NetMon wrapper library>
2007-10-22 10:58:53 81920 -----n--- C:\Windows\system32\Packet.dll <Not Verified; CACE Technologies; WinPcap low level packet library>
2007-10-22 10:49:34 0 d-------- C:\Users\All Users\TamoSoft

-- Find3M Report ---------------------------------------------------------------

2007-11-22 18:09:39 0 d-------- C:\Users\Terry\AppData\Roaming\BitTorrent DNA
2007-11-22 16:32:44 56019 --a------ C:\Users\Terry\AppData\Roaming\nvModes.001
2007-11-22 15:49:33 56019 --a------ C:\Users\Terry\AppData\Roaming\nvModes.dat
2007-11-22 14:54:22 12 --a------ C:\Windows\bthservsdp.dat
2007-11-22 12:19:17 3140 --ahs---- C:\Windows\system32\KGyGaAvL.sys
2007-11-22 08:40:28 0 d-------- C:\Program Files\Common Files
2007-11-21 21:18:33 0 d-------- C:\Program Files\Common Files\LightScribe
2007-11-18 17:14:49 0 d-------- C:\Users\Terry\AppData\Roaming\BitTorrent
2007-11-17 17:33:06 0 d-------- C:\Program Files\CONEXANT
2007-11-14 14:26:01 0 d-------- C:\Program Files\Windows Mail
2007-11-10 20:19:51 0 d-------- C:\Program Files\Common Files\Nero
2007-11-09 10:56:52 0 d-------- C:\Users\Terry\AppData\Roaming\RipIt4Me
2007-11-05 16:14:22 0 d-------- C:\Program Files\TomTom HOME 2
2007-10-26 16:37:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-26 16:28:38 0 d-------- C:\Program Files\HP
2007-10-22 10:58:53 0 d-------- C:\Program Files\Makayama Interactive
2007-10-21 18:03:24 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-17 10:46:04 88 -r-hs---- C:\Windows\system32\B487E600D8.sys
2007-10-17 10:46:03 0 d-------- C:\Users\Terry\AppData\Roaming\Corel
2007-10-17 10:42:29 0 d-------- C:\Program Files\Common Files\Corel
2007-10-17 10:40:37 0 d-------- C:\Program Files\Corel
2007-10-17 10:34:39 0 d-------- C:\Users\Terry\AppData\Roaming\InstallShield
2007-10-16 18:31:34 0 d-------- C:\Program Files\CyberLink
2007-10-12 06:52:12 0 d-------- C:\Program Files\KC Softwares
2007-10-12 06:46:33 0 d-------- C:\Program Files\REFLEX
2007-10-10 17:55:13 0 d-------- C:\Users\Terry\AppData\Roaming\Pegasys Inc
2007-10-10 17:50:42 0 d-------- C:\Program Files\Pegasys Inc
2007-10-10 17:50:05 53248 --a------ C:\Windows\system32\GenSvcInst.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD9>
2007-10-10 17:50:05 118784 --a------ C:\Windows\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD9>
2007-10-10 13:46:41 0 d-------- C:\Program Files\Xvid
2007-10-10 09:51:15 0 d-------- C:\Users\Terry\AppData\Roaming\LEAPS
2007-10-10 05:39:29 0 d-------- C:\Program Files\Norton 360
2007-10-09 20:20:40 0 d-------- C:\Program Files\AVI MPEG RM WMV Joiner
2007-10-08 14:45:56 0 d-------- C:\Program Files\Symantec
2007-10-08 14:44:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-06 21:01:20 0 d-------- C:\Program Files\MSN Messenger
2007-10-03 21:58:52 0 d-------- C:\Users\Terry\AppData\Roaming\TomTom
2007-10-03 21:58:52 0 d-------- C:\Users\Terry\AppData\Roaming\Mozilla
2007-10-03 21:58:36 0 d-------- C:\Program Files\TomTom HOME
2007-10-03 21:54:38 0 d-------- C:\Program Files\TomTom DesktopSuite
2007-10-03 20:21:05 174 --ahs---- C:\Program Files\desktop.ini
2007-10-03 19:40:48 0 d-------- C:\Program Files\DVD Decrypter
2007-10-03 09:06:26 0 d-------- C:\Program Files\SereneScreen
2007-10-03 03:54:11 0 d-------- C:\Users\Terry\AppData\Roaming\Symantec
2007-10-03 02:21:16 0 d-------- C:\Program Files\Windows Calendar
2007-10-03 02:21:13 0 d-------- C:\Program Files\Windows Defender
2007-10-03 02:02:12 0 d-------- C:\Program Files\MSXML 4.0
2007-10-02 20:43:38 0 d-------- C:\Program Files\BitTorrent
2007-10-02 20:43:32 0 d-------- C:\Program Files\BitTorrent_DNA
2007-10-02 11:38:06 0 d-------- C:\Users\Terry\AppData\Roaming\SnapTeam
2007-10-02 08:28:57 0 d-------- C:\Program Files\HP DVB-T TV Tuner
2007-10-02 07:31:25 0 d-------- C:\Users\Terry\AppData\Roaming\Adobe
2007-10-01 22:41:19 0 d-------- C:\Program Files\WinTV
2007-10-01 22:21:21 0 d-------- C:\Users\Terry\AppData\Roaming\Nero
2007-10-01 22:19:24 0 d-------- C:\Program Files\Nero
2007-10-01 20:56:58 0 d-------- C:\Program Files\Snap
2007-10-01 19:51:15 0 d-------- C:\Program Files\Microsoft Works
2007-10-01 19:51:01 0 d-------- C:\Program Files\MSBuild
2007-10-01 19:49:44 0 d-------- C:\Program Files\Microsoft.NET
2007-10-01 19:47:34 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-10-01 19:28:15 0 d-------- C:\Users\Terry\AppData\Roaming\WinRAR
2007-10-01 19:17:23 0 d-------- C:\Program Files\Jasc Software Inc
2007-10-01 14:49:10 0 d-------- C:\Users\Terry\AppData\Roaming\CyberLink
2007-10-01 14:47:46 0 d-------- C:\Program Files\Google
2007-10-01 14:45:12 0 d-------- C:\Users\Terry\AppData\Roaming\HP
2007-10-01 13:57:42 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-10-01 13:53:07 0 d-------- C:\Program Files\Roxio
2007-10-01 13:21:07 0 d-------- C:\Users\Terry\AppData\Roaming\Identities
2007-10-01 13:18:04 0 d-------- C:\Users\Terry\AppData\Roaming\Macromedia
2007-10-01 13:13:08 0 d-------- C:\Users\Terry\AppData\Roaming\Hewlett-Packard
2007-10-01 13:11:04 81 --a------ C:\Windows\system32\LOG
2007-09-29 21:47:47 126464 --a------ C:\Windows\2.exe
2007-08-24 17:08:24 1275392 --a------ C:\Windows\system32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP 2>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [03/10/2007 02:12]
"WAWifiMessage "= "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [18/10/2006 17:56]
"TomTomHOME.exe "= "C:\Program Files\TomTom HOME 2\HOMERunner.exe" [31/10/2007 10:19]
"SynTPStart "= "C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [15/09/2007 02:29]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [15/09/2007 02:50]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [12/03/2007 17:30]
"QlbCtrl "= "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [06/11/2006 18:58]
"NvSvc "= "C:\Windows\system32\nvsvc.dll" [28/02/2007 17:26]
"NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [28/02/2007 17:26]
"NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [28/02/2007 17:26]
"NeroFilterCheck "= "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 15:57]
"hpWirelessAssistant "= "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [18/10/2006 17:32]
"HP Software Update "= "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [08/05/2007 15:24]
"HP Health Check Scheduler "= "C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [28/11/2006 23:42]
"GrooveMonitor "= "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [26/10/2006 23:47]
"Corel File Shell Monitor "= "C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [30/10/2007 19:52]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 05:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\Livingroom\EPSON Stylus Photo RX560 Series "= "C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.exe" [23/05/2006 04:00]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02/11/2006 12:36]
"Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [02/11/2006 12:35]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [17/02/2005 00:15]
"EPSON Stylus Photo RX560 Series (Copy 1) "= "C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.exe" [23/05/2006 04:00]
"EPSON Stylus Photo RX560 Series "= "C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.exe" [23/05/2006 04:00]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [02/11/2006 12:35]
"BitTorrent DNA "= "C:\Users\Terry\Program Files\BitTorrent_DNA\dna.exe" [03/10/2007 02:26]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [20/09/2007 15:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher "=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "=2 (0x2)
"EnableLUA "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"compmgmt "=C:\Windows\system32\CTFM0N.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@= "IEEE 1394 Bus host controllers "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@= "SBP2 IEEE 1394 Devices "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@= "SecurityDevices "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20f7de3a-7074-11dc-bf14-001a6b2ef719}]
AutoRun\command- G:\setupSNK.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2007-11-22 18:13:14 ------------

noahdfear · 2007/11/22

Hi tez

Please upload the following files to my submission channel. Leave a link back to this topic.

C:\Windows\2.exe
C:\Windows\system32\Indt2.sys
C:\Windows\system32\ndt2.sys
C:\Windows\system32\orrx.exe

Thanks!

Click Start>Run and type or paste the following bolded command, then hit enter.

sc stop perfmons

Now do the next command.

sc delete perfmons

Delete the following file.

C:\Windows\system32\perfs.exe

Scan again with HijackThis and place a check next to the following entry, close all other windows then click Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Having p2p file sharing apps such as BitTorrent is almost like inviting malware into your computer. There is absolutely no way for you to know which of the hundreds of thousands of users you are sharing files with are infected or not. To add to the security breach, you are running with UAC disabled. I strongly recommend you dump the p2p apps and turn UAC back on.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and a fresh HijackThis log.

tez.1 · 2007/11/23

Hi Noahdfear

Firstly thank you for all your help
the files you asked for have been uploaded to your site.
The reason why the UAC is turned off is because when I rang Norton they turned it off and advised that I leave it off.
This seemed to stop all the web pages starting up, however the notepad still keep opening. When I turned the UAC back on all the web pages started to open so I turned it back off.
Also note that the P2P has GONE.

Again thank you for the help
Terry

New logs comming

tez.1 · 2007/11/23

New logs

Here they are

Kas log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 23, 2007 9:47:15 AM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/11/2007
Kaspersky Anti-Virus database records: 464421
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 116013
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:22:25

Infected Object Name / Virus Name / Last Action
C:\boot\bcd Object is locked skipped
C:\boot\BCD.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU228D.txt Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\007b_File_Monitoring_eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\007d_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\~PRCustomProps#7d.dat Object is locked skipped
C:\ProgramData\Kaspersky Lab\~PRObjects#7d.dat Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\685d0ed9e3ecd14d9eaaae632f1be79f_f6595529-44a0-4f5e-8536-67f31fafe5fb Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.64.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.64.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy26.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf278C.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf27CB.tmp Object is locked skipped
C:\ProgramData\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\A1EC533D.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\BECD848C.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Terry\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\Terry\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112320071124\index.dat Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\UsrClass.dat{921ded85-701f-11dc-bbbf-001b24222c70}.TM.blf Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\UsrClass.dat{921ded85-701f-11dc-bbbf-001b24222c70}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows\UsrClass.dat{921ded85-701f-11dc-bbbf-001b24222c70}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Terry\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Terry\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Terry\NTUSER.DAT Object is locked skipped
C:\Users\Terry\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Terry\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Terry\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Terry\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Terry\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\WINDOWS\bthservsdp.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\sam.log Object is locked skipped
C:\WINDOWS\Debug\WIA\wiatrace.log Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\WINDOWS\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Temp\ehmsdri.log Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Temp\ehRecvr.log Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\WINDOWS\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\WINDOWS\System32\catroot2\edb.log Object is locked skipped
C:\WINDOWS\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\System32\config\COMPONENTS Object is locked skipped
C:\WINDOWS\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\WINDOWS\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\WINDOWS\System32\config\DEFAULT Object is locked skipped
C:\WINDOWS\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\WINDOWS\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\WINDOWS\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\WINDOWS\System32\config\RegBack\DEFAULT Object is locked skipped
C:\WINDOWS\System32\config\RegBack\SAM Object is locked skipped
C:\WINDOWS\System32\config\RegBack\SECURITY Object is locked skipped
C:\WINDOWS\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\WINDOWS\System32\config\RegBack\SYSTEM Object is locked skipped
C:\WINDOWS\System32\config\SAM Object is locked skipped
C:\WINDOWS\System32\config\SAM.LOG1 Object is locked skipped
C:\WINDOWS\System32\config\SAM.LOG2 Object is locked skipped
C:\WINDOWS\System32\config\SECURITY Object is locked skipped
C:\WINDOWS\System32\config\SECURITY.LOG1 Object is locked skipped
C:\WINDOWS\System32\config\SECURITY.LOG2 Object is locked skipped
C:\WINDOWS\System32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\WINDOWS\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\WINDOWS\System32\config\SYSTEM Object is locked skipped
C:\WINDOWS\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\WINDOWS\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\WINDOWS\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\WINDOWS\System32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\System32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\WINDOWS\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\WINDOWS\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\WINDOWS\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\WINDOWS\System32\spool\SpoolerETW.etl Object is locked skipped
C:\WINDOWS\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\WINDOWS\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\WINDOWS\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\WINDOWS\System32\wfp\wfpdiag.etl Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\WINDOWS\System32\winevt\Logs\System.evtx Object is locked skipped
C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\Desktop.ini Object is locked skipped
E:\System Volume Information\Folder.htt Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\Protect.ed Object is locked skipped

Scan process completed.

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:48:29, on 23/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 208.79.78.230 barristerlawyer.com
O1 - Hosts: 82.98.86.179 identitycreation.com
O1 - Hosts: 82.98.86.179 allteenagers.com
O1 - Hosts: 82.98.86.179 leeadgroup.com
O1 - Hosts: 82.98.86.179 backwardization.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe "
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [\\Livingroom\EPSON Stylus Photo RX560 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\E_S2A50.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [EPSON Stylus Photo RX560 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Windows\TEMP\E_S2EAE.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [EPSON Stylus Photo RX560 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\E_S8630.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe "
O4 - HKLM\..\Policies\Explorer\Run: [compmgmt] C:\Windows\system32\CTFM0N.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11139 bytes

again thanks for the help

Terry

tez.1 · 2007/11/23

Hi Noahdfear

I have now turned on the UAC and on reboot the computer automatically goes to these web sites

http://www.ip530.com/cq.htm?1
"this one has a remote access add on request "

http://dir.oe365.com/other/mian.htm

www.dofus.com

thanks Terry

noahdfear · 2007/11/23

You should not have been advised to turn UAC off, and Norton should be scolded for doing so. UAC, while it can bbe a PITA, is your best defense against rogues running rampant and unchecked on your system.

Navigate to C:\Windows\system32\drivers\etc and open the file named hosts with notepad. The quote box below shows what the default should look like.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost
Click to expand...

Your's has entries added that look like the following.

208.79.78.230 barristerlawyer.com
82.98.86.179 identitycreation.com
82.98.86.179 allteenagers.com
82.98.86.179 leeadgroup.com
82.98.86.179 backwardization.com

Remove them all so that it appears as the default.

Delete the following files.

C:\Windows\system32\Indt2.sys
C:\Windows\system32\ndt2.sys
C:\Windows\system32\orrx.exe << this is the chinese notepad

C:\Windows\2.exe is a Nero key generator. Not a threat, but not the best means of getting a key either.

Now close all open browser windows then see if things work as they should again.

tez.1 · 2007/11/23

Hi

I have tried to edit the host file but it will not allow me to save the new one.?

also every time I have deleted these files they come back what am I doing wrong?

Terry

noahdfear · 2007/11/23

Right click the hosts file and select properties. See if the 'read only' attribute is set and remove it if it is, then try editing again. If still no luck, you may have to do it with UAC off. Try deleting the files at that time too. If they return, proceed as follows.

Download ComboFix by sUBs from here or here, saving the file to your desktop.

Close all open programs and windows

Right click combofix.exe and select Run As Administrator, then follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

tez.1 · 2007/11/23

Hi there

here is the logs

ComboFix 07-11-19.3 - Terry 2007-11-23 16:45:06.1 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.1363 [GMT 0:00]
Running from: C:\Users\Terry\Desktop\Windows help\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\Packet.dll
C:\Windows\system32\WanPacket.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-23 16:13 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-23 16:13 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-22 22:02 3,284 --a------ C:\WINDOWS\System32\perfs.txt
2007-11-22 20:44 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2007-11-22 20:44 <DIR> d-------- C:\PROGRA~2\Kaspersky Lab
2007-11-22 20:43 <DIR> d-------- C:\kav
2007-11-22 20:27 <DIR> d-------- C:\Users\All Users\Kaspersky Lab Setup Files
2007-11-22 20:27 <DIR> d-------- C:\PROGRA~2\Kaspersky Lab Setup Files
2007-11-22 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 17:32 <DIR> d-------- C:\Program Files\Add Remove Pro
2007-11-22 13:27 <DIR> d-------- C:\Deckard
2007-11-22 08:41 <DIR> d-------- C:\Users\All Users\Lavasoft
2007-11-22 08:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-22 08:41 <DIR> d-------- C:\PROGRA~2\Lavasoft
2007-11-22 08:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-20 16:31 <DIR> d-------- C:\WINDOWS\Sun
2007-11-20 10:09 <DIR> d-------- C:\Program Files\Driving Test Success 2006-2007
2007-11-19 20:53 <DIR> d-------- C:\Program Files\KellySoftware
2007-11-19 10:28 <DIR> d-------- C:\Users\All Users\WebEx
2007-11-19 10:28 <DIR> d-------- C:\PROGRA~2\WebEx
2007-11-18 18:11 <DIR> d-------- C:\Users\All Users\Driving Test Success
2007-11-18 18:11 <DIR> d-------- C:\PROGRA~2\Driving Test Success
2007-11-18 17:15 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-11-18 16:41 <DIR> d-------- C:\Users\All Users\DVD Shrink
2007-11-18 16:41 <DIR> d-------- C:\Program Files\DVD Shrink
2007-11-18 16:41 <DIR> d-------- C:\PROGRA~2\DVD Shrink
2007-11-17 17:33 1,244,672 --a------ C:\WINDOWS\System32\mcmde.dll
2007-11-17 17:25 1,152,000 --a------ C:\WINDOWS\System32\lo.dll
2007-11-17 17:25 824,832 --a------ C:\WINDOWS\System32\flyage.dll
2007-11-17 17:25 28,160 --a------ C:\WINDOWS\System32\CTFM0N.EXE
2007-11-14 14:27 3,504,824 --a------ C:\WINDOWS\System32\ntkrnlpa.exe
2007-11-14 14:27 3,471,032 --a------ C:\WINDOWS\System32\ntoskrnl.exe
2007-11-14 14:27 258,232 --a------ C:\WINDOWS\System32\drivers\acpi.sys
2007-11-14 14:26 8,704 --a------ C:\WINDOWS\System32\hcrstco.dll
2007-11-14 14:26 8,704 --a------ C:\WINDOWS\System32\hccoin.dll
2007-11-10 19:01 <DIR> d-------- C:\Program Files\dvd43
2007-11-04 19:42 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-11-04 19:42 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2007-10-26 16:30 221,215 --------- C:\WINDOWS\System32\Divxdec.ax
2007-10-26 14:38 <DIR> d-------- C:\Program Files\EPSON Print CD
2007-10-26 14:30 61,952 --a------ C:\WINDOWS\System32\escwiad.dll
2007-10-24 14:56 <DIR> d-------- C:\Users\All Users\UDL
2007-10-24 14:56 <DIR> d-------- C:\PROGRA~2\UDL
2007-10-24 14:50 <DIR> d-------- C:\Users\All Users\EPSON
2007-10-24 14:50 <DIR> d-------- C:\Program Files\EPSON
2007-10-24 14:50 <DIR> d-------- C:\PROGRA~2\EPSON
2007-10-24 14:50 75,264 --a------ C:\WINDOWS\System32\E_FLBBPE.DLL
2007-10-24 14:50 62,976 --a------ C:\WINDOWS\System32\E_FD4BBPE.DLL
2007-10-24 14:50 49,152 --a------ C:\WINDOWS\System32\E_DCINST.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 16:34 --------- d-----w C:\PROGRA~2\Symantec
2007-11-23 16:21 56,019 ----a-w C:\Users\Terry\AppData\Roaming\nvModes.dat
2007-11-22 20:26 --------- d-----w C:\Users\Terry\AppData\Roaming\BitTorrent
2007-11-22 12:19 3,140 --sha-w C:\Windows\System32\KGyGaAvL.sys
2007-11-21 21:18 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-11-21 17:28 --------- d-----w C:\PROGRA~2\Corel
2007-11-17 17:33 --------- d-----w C:\Program Files\CONEXANT
2007-11-14 14:27 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-14 14:27 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-14 14:27 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-14 14:27 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-14 14:27 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-14 14:27 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-14 14:27 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-14 14:27 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2007-11-14 14:27 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-14 14:27 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2007-11-14 14:27 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-14 14:27 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-14 14:27 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2007-11-14 14:27 11,264 ----a-w C:\Windows\system32\drivers\wmiacpi.sys
2007-11-14 14:26 73,216 ----a-w C:\Windows\system32\drivers\usbccgp.sys
2007-11-14 14:26 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2007-11-14 14:26 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2007-11-14 14:26 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2007-11-14 14:26 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2007-11-14 14:26 192,000 ----a-w C:\Windows\system32\drivers\usbhub.sys
2007-11-14 14:26 --------- d-----w C:\Program Files\Windows Mail
2007-11-10 20:19 --------- d-----w C:\Program Files\Common Files\Nero
2007-11-10 20:16 --------- d-----w C:\PROGRA~2\Nero
2007-11-10 19:01 18,816 ----a-w C:\Windows\system32\drivers\dvd43llh.sys
2007-11-09 10:56 --------- d-----w C:\Users\Terry\AppData\Roaming\RipIt4Me
2007-11-05 16:14 --------- d-----w C:\Program Files\TomTom HOME 2
2007-10-26 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 16:28 --------- d-----w C:\Program Files\HP
2007-10-22 10:58 --------- d-----w C:\Program Files\Makayama Interactive
2007-10-22 10:51 --------- d-----w C:\PROGRA~2\TamoSoft
2007-10-21 18:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-21 16:03 --------- d--h--w C:\PROGRA~2\GTek
2007-10-17 10:46 --------- d-----w C:\Users\Terry\AppData\Roaming\Corel
2007-10-17 10:42 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-17 10:40 --------- d-----w C:\Program Files\Corel
2007-10-17 10:34 --------- d-----w C:\Users\Terry\AppData\Roaming\InstallShield
2007-10-16 18:31 --------- d-----w C:\Program Files\CyberLink
2007-10-12 06:52 --------- d-----w C:\Program Files\KC Softwares
2007-10-12 06:46 --------- d-----w C:\Program Files\REFLEX
2007-10-10 19:41 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-10-10 19:41 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-10-10 19:41 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-10-10 19:41 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-10-10 19:39 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-10-10 19:39 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-10-10 19:39 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-10-10 19:38 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-10-10 19:38 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-10-10 19:38 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-10-10 18:03 --------- d-----w C:\PROGRA~2\Pegasys Inc
2007-10-10 17:55 --------- d-----w C:\Users\Terry\AppData\Roaming\Pegasys Inc
2007-10-10 17:50 53,248 ----a-w C:\Windows\System32\GenSvcInst.exe
2007-10-10 17:50 33,408 ----a-w C:\Windows\system32\drivers\CDRBSDRV.SYS
2007-10-10 17:50 118,784 ----a-w C:\Windows\System32\bgsvcgen.exe
2007-10-10 17:50 --------- d-----w C:\Program Files\Pegasys Inc
2007-10-10 13:46 --------- d-----w C:\Program Files\Xvid
2007-10-10 09:51 --------- d-----w C:\Users\Terry\AppData\Roaming\LEAPS
2007-10-10 05:39 --------- d-----w C:\Program Files\Norton 360
2007-10-09 20:20 --------- d-----w C:\Program Files\AVI MPEG RM WMV Joiner
2007-10-08 14:45 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2007-10-08 14:45 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2007-10-08 14:45 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2007-10-08 14:45 --------- d-----w C:\Program Files\Symantec
2007-10-08 14:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-06 21:01 --------- d-----w C:\Program Files\MSN Messenger
2007-10-03 21:58 --------- d-----w C:\Users\Terry\AppData\Roaming\TomTom
2007-10-03 21:58 --------- d-----w C:\Program Files\TomTom HOME
2007-10-03 21:58 --------- d-----w C:\PROGRA~2\TomTom
2007-10-03 21:54 --------- d-----w C:\Program Files\TomTom DesktopSuite
2007-10-03 21:12 --------- d-----w C:\PROGRA~2\CyberLink
2007-10-03 20:21 174 --sha-w C:\Program Files\desktop.ini
2007-10-03 19:40 --------- d-----w C:\Program Files\DVD Decrypter
2007-10-03 19:05 229,888 ----a-w C:\Windows\System32\msshsq.dll
2007-10-03 19:04 61,440 ----a-w C:\Windows\System32\ntprint.exe
2007-10-03 19:04 269,824 ----a-w C:\Windows\System32\schannel.dll
2007-10-03 19:04 220,160 ----a-w C:\Windows\System32\ntprint.dll
2007-10-03 19:04 120,320 ----a-w C:\Windows\System32\dhcpcsvc6.dll
2007-10-03 19:04 10,240 ----a-w C:\Windows\System32\dhcpcmonitor.dll
2007-10-03 19:04 1,984,512 ----a-w C:\Windows\System32\authui.dll
2007-10-03 19:03 88,576 ----a-w C:\Windows\System32\avifil32.dll
2007-10-03 19:03 82,944 ----a-w C:\Windows\System32\mciavi32.dll
2007-10-03 19:03 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr
2007-10-03 19:03 712,192 ----a-w C:\Windows\System32\WindowsCodecs.dll
2007-10-03 19:03 69,632 ----a-w C:\Windows\System32\sendmail.dll
2007-10-03 19:03 65,024 ----a-w C:\Windows\System32\avicap32.dll
2007-10-03 19:03 31,232 ----a-w C:\Windows\System32\msvidc32.dll
2007-10-03 19:03 123,904 ----a-w C:\Windows\System32\msvfw32.dll
2007-10-03 19:03 12,800 ----a-w C:\Windows\System32\msrle32.dll
2007-10-03 09:06 --------- d-----w C:\Program Files\SereneScreen
2007-10-03 03:54 --------- d-----w C:\Users\Terry\AppData\Roaming\Symantec
2007-10-03 02:21 --------- d-----w C:\Program Files\Windows Defender
2007-10-03 02:21 --------- d-----w C:\Program Files\Windows Calendar
2007-10-03 02:14 87,040 ----a-w C:\Windows\System32\msoert2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\Livingroom\EPSON Stylus Photo RX560 Series "= "C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.exe" [2006-05-23 04:00]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36]
"Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 12:35]
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 00:15]
"EPSON Stylus Photo RX560 Series (Copy 1) "= "C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.exe" [2006-05-23 04:00]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-03 02:12]
"WAWifiMessage "= "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 17:56]
"TomTomHOME.exe "= "C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 10:19]
"SynTPStart "= "C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:50]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"QlbCtrl "= "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 18:58]
"NvSvc "= "RUNDLL32.exe" [2006-11-02 09:45 C:\WINDOWS\System32\rundll32.exe]
"NvMediaCenter "= "RUNDLL32.exe" [2006-11-02 09:45 C:\WINDOWS\System32\rundll32.exe]
"NvCplDaemon "= "RUNDLL32.exe" [2006-11-02 09:45 C:\WINDOWS\System32\rundll32.exe]
"NeroFilterCheck "= "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"hpWirelessAssistant "= "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 17:32]
"HP Software Update "= "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"HP Health Check Scheduler "= "C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 23:42]
"GrooveMonitor "= "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"Corel File Shell Monitor "= "C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 19:52]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher "= "%WINDIR%\SMINST\launcher.exe" []

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071122.001\IDSvix86.sys
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys
S3 BTHprint;Microsoft Bluetooth Printer Class;C:\Windows\system32\DRIVERS\bthprint.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20f7de3a-7074-11dc-bf14-001a6b2ef719}]
\shell\AutoRun\command - G:\setupSNK.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 16:49:33
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\Livingroom\\EPSON Stylus Photo RX560 Series "= "C:\\Windows\\system32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBPE.EXE /FU \ "C:\\Users\\Terry\\AppData\\Local\\Temp\\E_S2A50.tmp\" /EF \ "HKCU\" "
.
Completion time: 2007-11-23 16:50:29 - machine was rebooted
.
--- E O F ---

Note that after the scan restarted my laptop the Windows Security cen is turned off and cannot be turned on????

thanks Terry

tez.1 · 2007/11/23

also note that the notepad has stopped opening on its own but it web sites are still opening after reboot.

I have managed to change the host and delet the other files.
Thanks Terry

tez.1 · 2007/11/23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:07:20, on 23/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\WINDOWS\System32\CTFM0N.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [\\Livingroom\EPSON Stylus Photo RX560 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\E_S2A50.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [EPSON Stylus Photo RX560 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBPE.EXE /FU "C:\Windows\TEMP\E_S2EAE.tmp" /EF "HKCU "
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe "
O4 - HKLM\..\Policies\Explorer\Run: [compmgmt] C:\Windows\system32\CTFM0N.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1195822366624
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10173 bytes

noahdfear · 2007/11/23

Scan again with HijackThis (may need to run as admin or with UAC off) and place a check next to the following entry, then click Fix Checked.

O4 - HKLM\..\Policies\Explorer\Run: [compmgmt] C:\Windows\system32\CTFM0N.EXE

Please upload the following files to my submission channel. Leave a link back to this topic.

C:\WINDOWS\System32\lo.dll
C:\WINDOWS\System32\flyage.dll
C:\WINDOWS\System32\CTFM0N.EXE

Reboot.

Delete lo.dll and flyage.dll and C:\WINDOWS\System32\perfs.txt
Rename ctfmon.exe to ctfmon.exe.old then do a search of the drive for ctfmon.* and let me know what you come up with.

tez.1 · 2007/11/23

Hi Dave have done all the above but there is 2 ctfmon.exe files

one is CTFMON.EXE "looks like a page date created 17 nov 2007

one is ctfmon.exe "looks like a notepad with a blue pen on it date 2 nov 2006

both are in win32

what one do I rename old

Terry

noahdfear · 2007/11/23

ctfmon.exe is a legitimate file, and I'd expected that it had been overwritten with CTFMON.EXE, not that there would be 2
The CTFMON.EXE is definitely a bad one ......... same as the one you uploaded. Forget renaming and delete it. I'm looking at it right now and see a few other things we need to check for.

Let me know how things are after rebooting. Are you comfortable in the registry?

tez.1 · 2007/11/23

Hi there Dave

yes I am ok in there

after reboot the notepad has stopped and so have the web pages I think "Windows security cent is still turned off and will not turn on "

Terry

noahdfear · 2007/11/23

Look under both the current_user\software and local_machine\software hives for the following keys and delete if present.

fengzi
hebe

I would also like you export the following key to text and post it here.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Security Center still down after removing the files and rebooting? Click Start>Run and type services.msc then hit enter. Check that the Security Center service is set to automatic startup type.

tez.1 · 2007/11/23

Hi Dave

found both fengzi and hebe

here is the reg key

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Class Name: <NO CLASS>
Last Write Time: 17/11/2007 - 17:25
Value 0
Name: C:\Program Files\BitTorrent\bittorrent.exe
Type: REG_SZ
Data: C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

Value 1
Name: C:\Windows\system32\CTFM0N.EXE
Type: REG_SZ
Data: %windir%\system32\CTFM0N.EXE:*:enabled:CTFM0N.EXE

tez.1 · 2007/11/23

checked the services.msc and the security cen was set to delayed start, Have now set to auto.

after start up Security cent still will not start up I ran services.msn again and clicked on the start for security cent and it came up with

"windows could not start the security center service on local computer "

"error 1079" the account specified for this service is different from the account specified for other services running in the same process.

Terry

Log in or Sign up

Solved Note pad and UAC problem in Vista

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Note pad and UAC problem in Vista

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

noahdfear Inactive

tez.1 Inactive Thread Starter

tez.1 Inactive Thread Starter

Share This Page

Useful Searches