Active Voodoo and 1000+ infected registry

[Active] Voodoo and 1000+ infected registry

Hello to all of you.

I heard from Chris (clubecgr) that this is the best Anti-Malware forum so I hope you can fix mine. He told me to be patient because you are all busy.

Upon scanning with MBAM, more than 1000 registry were found.

Here's the DDS log after MBAM. I'll post MBAM if needed

Yours Truly,
Abigail

DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 17:55:54.82 on Tue 03/16/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.538 [GMT 8:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Security Antivirus *On-access scanning enabled* (Updated) {84B9A291-2D8A-48ED-AD8D-75F0D9D48DEB}
FW: Security Antivirus *enabled* {EFA42BDD-E5E5-40ED-90AD-E9DB128EAA20}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\Bandoo\Bandoo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user.OWNER-65287C04B\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = bearshare.com
mDefault_Page_URL = hxxp://www.yahoo.com
mSearch Page = ${URL_SEARCHPAGE}
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = hxxp://search.yahoo.com/search?fr=msgr-buddy&ei=UTF-8&p=qatar%20jobs
uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
mWinlogon: Taskman=c:\documents and settings\user.owner-65287c04b\csrss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearshare applications\mediabar\toolbar\BearshareMediabarDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: UrlHelper Class: {74322bf9-df26-493f-b0da-6d2fc5e6429e} - c:\program files\bearshare applications\mediabar\datamngr\IEBHO.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: BandooIEPlugin Class: {eb5cee80-030a-4ed8-8e20-454e9c68380f} - c:\program files\bandoo\plugins\ie\ieplugin.dll
BHO: SweetIM Toolbar Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
c:\program files\ask.com\GenericAskToolbar.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearshare applications\mediabar\toolbar\BearshareMediabarDx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe "
uRun: [Google Update] "c:\documents and settings\user.owner-65287c04b\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VMSnap3] c:\windows\VMSnap3.EXE
mRun: [Domino] c:\windows\Domino.EXE
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [DataMngr] c:\program files\bearshare applications\mediabar\datamngr\DataMngrUI.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe "
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
AppInit_DLLs: c:\progra~1\bearsh~1\mediabar\datamngr\datamngr.dll c:\progra~1\bandoo\bndhook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe "
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user~1.own\applic~1\mozilla\firefox\profiles\hg6bw2cv.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZNman000&ptb=8VCZDoVGDqUS42qvh_8ioQ&psa=&ind=2010030804&ptnrS=ZNman000&si=&st=kwd&n=77cea2d4&searchfor=
FF - plugin: c:\documents and settings\user.owner-65287c04b\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\user.owner-65287c04b\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\user.owner-65287c04b\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-2-21 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2010-2-21 39424]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-2-21 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-2-21 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-2-21 170408]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2010-2-26 428160]

=============== Created Last 30 ================

2010-03-16 09:43:53 0 d-----w- c:\docume~1\user~1.own\applic~1\Malwarebytes
2010-03-16 09:43:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 09:43:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-16 09:43:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 09:43:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-15 12:04:07 376 ----a-w- c:\windows\ODBC.INI
2010-03-15 09:22:14 0 d-----w- c:\docume~1\alluse~1\applic~1\C2AF
2010-03-15 03:03:12 0 ----a-w- c:\documents and settings\user.owner-65287c04b\Desktop.ini
2010-03-14 13:12:19 0 d-----w- c:\docume~1\user~1.own\applic~1\Facebook
2010-03-14 10:05:47 108 ----a-w- c:\documents and settings\user.owner-65287c04b\default.pls
2010-03-14 04:31:17 0 d-----w- c:\program files\Photodex Presenter
2010-03-14 04:31:01 0 d-----w- c:\program files\Photodex
2010-03-14 04:30:41 0 d-----w- c:\docume~1\user~1.own\applic~1\Photodex
2010-03-13 16:54:27 0 d-----w- c:\docume~1\user~1.own\applic~1\bearsharemediabartb
2010-03-13 16:45:05 0 d-----w- c:\docume~1\user~1.own\applic~1\Bandoo
2010-03-13 11:12:23 0 d-----w- c:\docume~1\alluse~1\applic~1\171A5
2010-03-12 11:34:30 0 d-----w- c:\docume~1\alluse~1\applic~1\1E0
2010-03-12 02:47:22 0 d-----w- c:\docume~1\alluse~1\applic~1\1630D
2010-03-11 11:24:23 0 d-----w- c:\docume~1\alluse~1\applic~1\17251
2010-03-11 05:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\222BF
2010-03-11 03:12:10 0 d-----w- c:\program files\SweetIM
2010-03-11 03:12:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SweetIM
2010-03-11 02:58:43 0 d-----w- c:\docume~1\alluse~1\applic~1\2B3A
2010-03-11 02:10:38 0 d-----w- c:\docume~1\alluse~1\applic~1\2638A
2010-03-10 13:51:18 876 ----a-w- c:\windows\$_hpcst$.hpc
2010-03-10 10:47:40 5997613 ----a-w- C:\FarmvilleMagicTools13.zip
2010-03-10 10:35:55 0 ----a-w- C:\testwma.raw
2010-03-10 08:35:05 0 d-----w- C:\My Downloads
2010-03-10 08:31:33 0 d-----w- c:\docume~1\alluse~1\applic~1\21251
2010-03-09 09:18:59 0 d-----w- c:\docume~1\alluse~1\applic~1\3B251
2010-03-08 08:51:11 0 d-----w- c:\docume~1\alluse~1\applic~1\B271
2010-03-08 04:22:51 0 d-----w- c:\docume~1\alluse~1\applic~1\335D
2010-03-07 15:50:34 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-07 10:26:48 0 d-----w- c:\docume~1\alluse~1\applic~1\301E4
2010-03-07 03:42:13 7680 --sha-w- c:\windows\Thumbs.db
2010-03-06 12:00:26 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SAZYV
2010-03-06 11:57:36 0 d-sh--w- c:\docume~1\alluse~1\applic~1\0bfda88
2010-03-05 14:02:25 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-05 14:02:25 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-02 11:43:01 0 d-----w- C:\logs
2010-03-01 09:58:32 40 ----a-w- c:\windows\RSoftInfo.dat
2010-02-28 13:08:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Bandoo
2010-02-28 13:08:08 0 d-----w- c:\program files\Bandoo
2010-02-28 01:38:45 483328 ----a-w- c:\windows\system32\actskn45.ocx
2010-02-28 01:38:42 0 d-----w- c:\program files\BearShare Applications
2010-02-27 09:58:19 69 ----a-w- c:\windows\NeroDigital.ini
2010-02-27 07:03:57 0 d-----w- c:\program files\Ask.com
2010-02-26 07:00:50 0 d-----w- c:\program files\Vimicro
2010-02-24 15:30:27 0 d-----w- c:\program files\HP
2010-02-24 15:29:29 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-02-24 15:29:28 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-02-24 15:29:13 267864 ----a-r- c:\windows\system32\hpzids01.dll
2010-02-24 15:29:11 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2010-02-24 15:28:52 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-02-24 15:28:48 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-02-24 15:28:48 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-02-24 15:27:58 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-02-24 15:27:58 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-02-24 15:27:58 303104 ----a-r- c:\windows\system32\hpovst10.dll
2010-02-24 15:27:57 675840 ----a-r- c:\windows\system32\hpowiax3.dll
2010-02-24 15:27:57 569344 ----a-r- c:\windows\system32\hpotscl3.dll
2010-02-24 15:27:54 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-02-24 15:27:54 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-24 15:24:33 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-24 15:24:33 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-24 08:24:49 0 d-----w- c:\program files\Bonjour
2010-02-24 08:17:33 0 d-----w- c:\program files\common files\Macrovision Shared
2010-02-24 08:14:15 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-02-24 08:02:54 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-02-24 08:02:54 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-02-24 08:02:51 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-02-24 08:02:51 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-02-21 12:21:32 0 d-----w- c:\program files\common files\ODBC
2010-02-21 12:21:29 0 d-----w- c:\program files\common files\SpeechEngines
2010-02-21 12:21:08 0 d-----r- c:\documents and settings\all users\Documents
2010-02-21 08:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Nero
2010-02-21 08:03:11 0 d-----w- c:\program files\Nero
2010-02-21 07:41:23 0 d-----w- c:\program files\Microsoft Encarta
2010-02-21 07:25:54 0 d-----w- c:\program files\GameHouse
2010-02-21 07:21:21 0 d-----w- c:\program files\K-Lite Codec Pack
2010-02-21 07:19:17 0 d-----w- c:\program files\Yahoo!
2010-02-21 07:01:01 0 d-----w- c:\program files\Chikka Messenger
2010-02-21 06:47:08 0 d-----w- c:\program files\USB Disk Security
2010-02-21 04:46:31 0 d-----w- c:\program files\common files\Cisco Systems
2010-02-21 04:46:08 0 d-----w- c:\program files\McAfee
2010-02-21 04:46:08 0 d-----w- c:\program files\common files\McAfee
2010-02-21 04:29:27 0 d-sh--w- c:\documents and settings\all users\DRM
2010-02-21 04:29:13 0 d--h--w- c:\program files\WindowsUpdate
2010-02-21 04:28:31 0 d-----w- c:\program files\common files\MSSoap
2010-02-21 04:27:19 0 d-----w- c:\program files\Online Services
2010-02-21 04:27:09 0 d-----w- c:\program files\Windows Media Connect 2
2010-02-21 04:27:02 0 d-----w- c:\program files\Messenger
2010-02-21 04:26:59 0 d-----w- c:\program files\MSN Gaming Zone
2010-02-21 04:26:31 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-02-21 07:23:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 04:27:38 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 17:56:11.78 ===============

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/21/2010 12:32:05 PM
System Uptime: 3/16/2010 5:53:43 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5KPL-VM
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 49 GiB total, 32.938 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 19.642 GiB free.
E: is FIXED (NTFS) - 51 GiB total, 23.798 GiB free.
F: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&2C575ACB&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&2C575ACB&0
Service: i8042prt

==== System Restore Points ===================

RP1: 2/21/2010 2:39:24 PM - System Checkpoint
RP2: 2/21/2010 2:48:28 PM - Installed Microsoft Office Professional Plus 2007
RP3: 2/21/2010 3:02:38 PM - Installed Microsoft Office Professional Plus 2007
RP4: 2/21/2010 3:04:41 PM - Removed Microsoft Office Professional Plus 2007
RP5: 2/21/2010 3:09:39 PM - Installed Adobe Reader 9.
RP6: 2/21/2010 3:23:44 PM - Installed Java(TM) 6 Update 12
RP7: 2/21/2010 3:28:01 PM - Installed Microsoft Office Professional Plus 2007
RP8: 2/21/2010 3:41:21 PM - Installed Microsoft Encarta Premium 2009
RP9: 2/21/2010 4:03:07 PM - Installed Nero 7 Essentials
RP10: 2/25/2010 12:25:57 AM - System Checkpoint
RP11: 2/26/2010 1:30:18 AM - System Checkpoint
RP12: 2/26/2010 3:00:50 PM - Installed A4 TECH PC Camera H
RP13: 2/27/2010 11:13:31 PM - System Checkpoint
RP14: 3/1/2010 5:36:15 AM - System Checkpoint
RP15: 3/2/2010 11:27:53 PM - System Checkpoint
RP16: 3/4/2010 12:22:49 AM - System Checkpoint
RP17: 3/5/2010 6:21:42 AM - System Checkpoint
RP18: 3/6/2010 9:50:28 AM - System Checkpoint
RP19: 3/9/2010 7:06:17 AM - System Checkpoint
RP20: 3/10/2010 7:29:33 AM - System Checkpoint
RP21: 3/11/2010 11:12:09 AM - Installed SweetIM for Messenger 3.0
RP22: 3/12/2010 11:51:13 AM - System Checkpoint
RP23: 3/13/2010 12:34:44 PM - System Checkpoint
RP24: 3/14/2010 2:21:37 PM - System Checkpoint
RP25: 3/15/2010 8:03:28 PM - Installed Microsoft Office FrontPage 2003
RP26: 3/15/2010 8:08:02 PM - Installed Microsoft Office XP Web Components

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 84.19.171.6 www.google.com
Hosts: 84.19.171.6 google.com
Hosts: 84.19.171.6 google.com.au
Hosts: 84.19.171.6 www.google.com.au
Hosts: 84.19.171.6 google.be
Hosts: 84.19.171.6 www.google.be
Hosts: 84.19.171.6 google.com.br
Hosts: 84.19.171.6 www.google.com.br
Hosts: 84.19.171.6 google.ca
Hosts: 84.19.171.6 www.google.ca
Hosts: 84.19.171.6 google.ch
Hosts: 84.19.171.6 www.google.ch
Hosts: 84.19.171.6 google.de
Hosts: 84.19.171.6 www.google.de
Hosts: 84.19.171.6 google.dk
Hosts: 84.19.171.6 www.google.dk
Hosts: 84.19.171.6 google.fr
Hosts: 84.19.171.6 www.google.fr
Hosts: 84.19.171.6 google.ie
Hosts: 84.19.171.6 www.google.ie
Hosts: 84.19.171.6 google.it
Hosts: 84.19.171.6 www.google.it
Hosts: 84.19.171.6 google.co.jp
Hosts: 84.19.171.6 www.google.co.jp
Hosts: 84.19.171.6 google.nl
Hosts: 84.19.171.6 www.google.nl
Hosts: 84.19.171.6 google.no
Hosts: 84.19.171.6 www.google.no
Hosts: 84.19.171.6 google.co.nz
Hosts: 84.19.171.6 www.google.co.nz
Hosts: 84.19.171.6 google.pl
Hosts: 84.19.171.6 www.google.pl
Hosts: 84.19.171.6 google.se
Hosts: 84.19.171.6 www.google.se
Hosts: 84.19.171.6 google.co.uk
Hosts: 84.19.171.6 www.google.co.uk
Hosts: 84.19.171.6 google.co.za
Hosts: 84.19.171.6 www.google.co.za
Hosts: 84.19.171.6 www.google-analytics.com
Hosts: 84.19.171.6 www.bing.com
Hosts: 84.19.171.6 search.yahoo.com
Hosts: 84.19.171.6 www.search.yahoo.com
Hosts: 84.19.171.6 uk.search.yahoo.com
Hosts: 84.19.171.6 ca.search.yahoo.com
Hosts: 84.19.171.6 de.search.yahoo.com
Hosts: 84.19.171.6 fr.search.yahoo.com
Hosts: 84.19.171.6 au.search.yahoo.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 www.getavplusnow.com

==== Installed Programs ======================

A4 TECH PC Camera H
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS4
Adobe Reader 9
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Ask Toolbar
Bandoo
BearShare
Chikka Messenger V4
Facebook Plug-In
GameHouse Super Games AIO®
Google Chrome
Java(TM) 6 Update 12
K-Lite Codec Pack 5.1.0 (Full)
LightScribe 1.6.43.1
LimeWire 5.4.8
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
MediaBar
Microsoft .NET Framework 2.0
Microsoft Encarta Premium 2009
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Web Components
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.8)
Nero 7 Essentials
PDF Settings
Photodex Presenter
Photoshop Camera Raw
ProShow Gold
Realtek High Definition Audio Driver
Software Update for Web Folders
SweetIM for Messenger 3.0
SweetIM Toolbar for Internet Explorer 3.6
USB Disk Security 5.1.0.15
Winamp
WinRAR archiver
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

3/16/2010 5:54:16 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/14/2010 6:11:44 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort2.
3/14/2010 6:00:33 PM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
3/13/2010 8:14:32 AM, error: Dhcp [1002] - The IP address lease 192.168.1.33 for the Network Card with network address 001E8C71E75F has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/13/2010 8:13:07 AM, error: Service Control Manager [7023] - The Pml Driver HPZ12 service terminated with the following error: The specified module could not be found.
3/13/2010 8:13:07 AM, error: Service Control Manager [7023] - The Net Driver HPZ12 service terminated with the following error: The specified module could not be found.
3/13/2010 8:13:07 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NVIDIA Display Driver Service service to connect.
3/13/2010 8:13:07 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee McShield service to connect.
3/13/2010 8:13:07 AM, error: Service Control Manager [7000] - The NVIDIA Display Driver Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/13/2010 8:13:07 AM, error: Service Control Manager [7000] - The McAfee McShield service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

 

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK ". Exit Program.
Note that if you have a custom host file, this will remove it.

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

I had some errors with Hostsxpert

ComboFix 10-03-15.05 - user 03/16/2010 18:29:13.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.568 [GMT 8:00]
Running from: c:\documents and settings\user.OWNER-65287C04B\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\recycler\S-1-5-21-0046626559-1783492473-000045714-6435
c:\recycler\S-1-5-21-0312473726-5150847989-636764570-1009
c:\recycler\S-1-5-21-0498196863-7812234501-002752693-5682
c:\recycler\S-1-5-21-1248036820-1185786173-479485983-0591
c:\recycler\S-1-5-21-2631298961-1946863893-232921840-1187
c:\recycler\S-1-5-21-3398548968-7950410238-854631799-9724
c:\recycler\S-1-5-21-3625009770-3142692884-111635117-5238
c:\recycler\S-1-5-21-5610415814-3893133209-190753380-0913
c:\recycler\S-1-5-21-6094464741-0093824562-250081245-2042
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 09:43 . 2010-03-16 09:43 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Malwarebytes
2010-03-16 09:43 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 09:43 . 2010-03-16 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-16 09:43 . 2010-03-16 09:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 09:43 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 12:03 . 2010-03-15 12:03 -------- d-----w- c:\program files\Microsoft.NET
2010-03-15 09:22 . 2010-03-15 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\C2AF
2010-03-14 18:11 . 2010-03-14 18:11 74544 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 13:12 . 2010-03-14 13:38 50354 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\uninstall.exe
2010-03-14 13:12 . 2010-03-14 13:12 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook
2010-03-13 18:12 . 2010-03-13 18:12 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Mozilla
2010-03-13 16:54 . 2010-03-13 16:54 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\bearsharemediabartb
2010-03-13 16:46 . 2010-03-13 16:55 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Yahoo
2010-03-13 16:45 . 2010-03-13 16:45 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Bandoo
2010-03-13 16:41 . 2010-03-13 16:41 -------- d-----w- c:\documents and settings\TEMP
2010-03-13 11:12 . 2010-03-13 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\171A5
2010-03-12 11:34 . 2010-03-12 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\1E0
2010-03-12 02:47 . 2010-03-12 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\1630D
2010-03-11 11:24 . 2010-03-11 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\17251
2010-03-11 05:55 . 2010-03-11 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\222BF
2010-03-11 03:12 . 2010-03-11 03:12 -------- d-----w- c:\program files\SweetIM
2010-03-11 03:12 . 2010-03-11 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SweetIM
2010-03-11 02:58 . 2010-03-11 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\2B3A
2010-03-11 02:10 . 2010-03-11 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\2638A
2010-03-10 10:47 . 2007-01-29 04:56 5997613 ----a-w- C:\FarmvilleMagicTools13.zip
2010-03-10 08:35 . 2010-03-11 02:27 -------- d-----w- C:\My Downloads
2010-03-10 08:31 . 2010-03-10 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\21251
2010-03-09 09:18 . 2010-03-09 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\3B251
2010-03-08 08:51 . 2010-03-08 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\B271
2010-03-08 04:22 . 2010-03-08 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\335D
2010-03-07 15:50 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-07 10:26 . 2010-03-07 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\301E4
2010-03-06 12:00 . 2010-03-06 12:00 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SAZYV
2010-03-06 12:00 . 2010-02-25 14:49 457688 ----a-w- c:\documents and settings\All Users\Application Data\0bfda88\sqlite3.dll
2010-03-06 12:00 . 2010-02-25 14:49 714200 ----a-w- c:\documents and settings\All Users\Application Data\0bfda88\mozcrt19.dll
2010-03-06 11:57 . 2010-03-06 12:00 5790208 ----a-w- c:\documents and settings\All Users\Application Data\0bfda88\SA0bfd.exe
2010-03-06 11:57 . 2010-03-06 12:00 -------- d-sh--w- c:\documents and settings\All Users\Application Data\0bfda88
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-03-05 14:02 . 2004-08-03 16:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-05 14:02 . 2004-08-03 16:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-04 07:18 . 2010-03-04 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-02 11:43 . 2010-03-02 11:43 -------- d-----w- C:\logs
2010-03-02 11:43 . 2010-03-02 11:43 -------- d-----w- c:\documents and settings\user\ChikkaDefault
2010-03-01 09:58 . 2010-03-01 09:58 40 ----a-w- c:\windows\RSoftInfo.dat
2010-02-28 13:08 . 2010-02-28 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Bandoo
2010-02-28 13:08 . 2010-02-28 13:08 -------- d-----w- c:\program files\Bandoo
2010-02-28 01:38 . 2010-02-28 01:39 -------- d-----w- c:\program files\BearShare Applications
2010-02-26 07:00 . 2010-02-26 07:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-26 07:00 . 2010-02-26 07:00 -------- d-----w- c:\program files\Vimicro
2010-02-24 22:31 . 2010-02-24 22:31 -------- d-----w- c:\windows\Sun
2010-02-24 15:30 . 2010-02-24 15:30 -------- d-----w- c:\program files\HP
2010-02-24 15:29 . 2007-03-08 04:20 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-02-24 15:29 . 2007-03-08 04:20 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-02-24 15:29 . 2010-02-24 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-02-24 15:29 . 2007-03-30 15:07 267864 ----a-r- c:\windows\system32\hpzids01.dll
2010-02-24 15:29 . 2007-03-28 06:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2010-02-24 15:29 . 2007-03-28 05:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2010-02-24 15:28 . 2007-03-08 04:20 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-02-24 15:28 . 2004-08-03 15:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-02-24 15:28 . 2004-08-03 15:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-02-24 15:28 . 2010-02-26 07:01 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-24 15:27 . 2007-03-17 16:11 303104 ----a-r- c:\windows\system32\hpovst10.dll
2010-02-24 15:27 . 2007-03-08 04:20 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-02-24 15:27 . 2007-03-08 04:20 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-02-24 15:27 . 2007-03-17 16:11 675840 ----a-r- c:\windows\system32\hpowiax3.dll
2010-02-24 15:27 . 2007-03-17 16:11 569344 ----a-r- c:\windows\system32\hpotscl3.dll
2010-02-24 15:27 . 2004-08-03 14:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-02-24 15:27 . 2004-08-03 14:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-24 15:24 . 2004-08-03 15:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-24 15:24 . 2004-08-03 15:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-24 13:53 . 2004-08-03 23:56 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-24 08:28 . 2010-02-24 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-24 08:24 . 2010-02-24 08:24 -------- d-----w- c:\program files\Bonjour
2010-02-24 08:17 . 2010-02-24 08:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-24 08:14 . 2004-08-03 15:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-02-24 08:02 . 2001-08-17 05:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-02-24 08:02 . 2001-08-17 05:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-02-24 08:02 . 2001-08-17 06:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-02-24 08:02 . 2001-08-17 06:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 04:31 . 2010-03-14 04:31 -------- d-----w- c:\program files\Photodex Presenter
2010-03-14 04:31 . 2010-03-14 04:31 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Netscape
2010-03-14 04:31 . 2010-03-14 04:31 131072 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Netscape\Plugins\npPxPlay.dll
2010-03-14 04:31 . 2010-03-14 04:31 131072 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Mozilla\Plugins\npPxPlay.dll
2010-03-14 04:31 . 2010-03-14 04:31 -------- d-----w- c:\program files\Photodex
2010-03-14 04:30 . 2010-03-14 04:30 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Photodex
2010-03-13 16:46 . 2010-03-13 16:44 -------- d--h--r- c:\documents and settings\user.OWNER-65287C04B\Application Data\yahoo!
2010-03-04 07:19 . 2010-02-21 07:19 -------- d-----w- c:\program files\Yahoo!
2010-03-04 07:18 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-25 13:25 . 2010-02-21 04:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-24 08:25 . 2010-02-21 07:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-21 08:09 . 2010-02-21 08:09 -------- d-----w- c:\program files\Common Files\LightScribe
2010-02-21 08:06 . 2010-02-21 08:03 -------- d-----w- c:\program files\Common Files\Ahead
2010-02-21 08:03 . 2010-02-21 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-02-21 08:03 . 2010-02-21 08:03 -------- d-----w- c:\program files\Nero
2010-02-21 07:49 . 2010-02-21 07:41 -------- d-----w- c:\program files\Microsoft Encarta
2010-02-21 07:33 . 2010-02-21 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-21 07:32 . 2010-02-21 07:32 -------- d-----w- c:\program files\Microsoft Works
2010-02-21 07:32 . 2010-02-21 07:32 -------- d-----w- c:\program files\MSBuild
2010-02-21 07:27 . 2010-02-21 07:25 -------- d-----w- c:\program files\GameHouse
2010-02-21 07:23 . 2010-02-21 07:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 07:23 . 2010-02-21 07:23 -------- d-----w- c:\program files\Java
2010-02-21 07:21 . 2010-02-21 07:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-21 07:21 . 2010-02-21 07:21 0 ----a-w- c:\windows\nsreg.dat
2010-02-21 07:21 . 2010-02-21 07:21 -------- d-----w- c:\program files\Winamp
2010-02-21 07:10 . 2010-02-21 07:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-21 07:01 . 2010-02-21 07:01 -------- d-----w- c:\program files\Chikka Messenger
2010-02-21 06:47 . 2010-02-21 06:47 -------- d-----w- c:\program files\USB Disk Security
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\program files\McAfee
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-21 04:30 . 2010-02-21 04:30 -------- d-----w- c:\program files\microsoft frontpage
2010-02-21 04:27 . 2010-02-21 04:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-21 04:27 . 2010-02-21 04:27 -------- d-----w- c:\program files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847} "= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}]
2009-12-20 09:51 87480 ----a-w- c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2009-12-27 06:30 504248 ----a-w- c:\program files\BearShare Applications\MediaBar\DataMngr\IEBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}]
2010-01-18 23:31 2074048 ----a-w- c:\program files\Bandoo\Plugins\IE\ieplugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 08:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0974BA1E-64EC-11DE-B2A5-E43756D89593} "= "c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll" [2009-12-20 87480]
"{EEE6C35B-6118-11DC-9C72-001320C79847} "= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847} "= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]
"Google Update "= "c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-14 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE "= "c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI "= "c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"RTHDCPL "= "RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel "= "SkyTel.EXE" [2007-04-04 1822720]
"USB Antivirus "= "c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"VMSnap3 "= "c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Domino "= "c:\windows\Domino.EXE" [2006-06-28 49152]
"DataMngr "= "c:\program files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe" [2009-12-27 184760]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SweetIM "= "c:\program files\SweetIM\Messenger\SweetIM.exe" [2010-02-24 111928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix "= "shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=c:\progra~1\Bandoo\BndHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-11 18:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-04 02:39 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 05:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-02-16 18:30 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-05-04 02:59 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-01-08 17:53 8523776 ----a-r- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-01-08 17:53 81920 ----a-r- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-21 07:23 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\0bfda88\\SA0bfd.exe "=

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2/21/2010 1:10 PM 39424]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2/26/2010 3:01 PM 428160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 05:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-299502267-725345543-1003Core.job
- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-14 12:05]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-299502267-725345543-1003UA.job
- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-14 12:05]
.
.
------- Supplementary Scan -------
.
uStart Page = bearshare.com
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = hxxp://search.yahoo.com/search?fr=msgr-buddy&ei=UTF-8&p=qatar%20jobs
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user.OWNER-65287C04B\Application Data\Mozilla\Firefox\Profiles\hg6bw2cv.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZNman000&ptb=8VCZDoVGDqUS42qvh_8ioQ&psa=&ind=2010030804&ptnrS=ZNman000&si=&st=kwd&n=77cea2d4&searchfor=
FF - plugin: c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\user.OWNER-65287C04B\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-BigDog303 - c:\windows\VM303_STI.EXE
MSConfigStartUp-nwiz - nwiz.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1428)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\Bandoo\Bandoo.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2010-03-16 18:35:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-16 10:35

Pre-Run: 35,728,080,896 bytes free
Post-Run: 35,641,307,136 bytes free

- - End Of File - - 301A325E7E21604964233372DB4503BC

 

HiJackThis log after combofix

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:41:28 PM, on 3/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\Bandoo\Bandoo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.yahoo.com/search?fr=msgr-buddy&ei=UTF-8&p=qatar jobs
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\MediaBar\DataMngr\IEBHO.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Bandoo IE Plugin - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [DataMngr] C:\Program Files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe "
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\PROGRA~1\Bandoo\BndHook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bandoo Coordinator - Discordia Limited - C:\PROGRA~1\Bandoo\Bandoo.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8732 bytes

 

What is FarmvilleMagicTools13?

 

It's a tool for Farmville in Facebook. Should I remove it?

It speed up the harvesting in the game from Facebook

 

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

Folder::
c:\progra~1\Bandoo

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt
• A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

ComboFix 10-03-15.05 - user 03/16/2010 19:15:48.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.622 [GMT 8:00]
Running from: c:\documents and settings\user.OWNER-65287C04B\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user.OWNER-65287C04B\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\Bandoo
c:\progra~1\Bandoo\Bandoo.exe
c:\progra~1\Bandoo\BandooGo.exe
c:\progra~1\Bandoo\BandooRes.dll
c:\progra~1\Bandoo\BandooUI.exe
c:\progra~1\Bandoo\BndCore.exe
c:\progra~1\Bandoo\BndHook.dll
c:\progra~1\Bandoo\CrashRpt.dll
c:\progra~1\Bandoo\ExtensionsManager.exe
c:\progra~1\Bandoo\FFSettings.exe
c:\progra~1\Bandoo\FlashAnimator.dll
c:\progra~1\Bandoo\GIFAnimator.dll
c:\progra~1\Bandoo\INSTALL.LOG
c:\progra~1\Bandoo\InstallerHelper.dll
c:\progra~1\Bandoo\libungif4.dll
c:\progra~1\Bandoo\license.rtf
c:\progra~1\Bandoo\Plugins.ini
c:\progra~1\Bandoo\Plugins\AIM\AIMPlugin.dll
c:\progra~1\Bandoo\Plugins\AIM\Resources\HTML\blank.html
c:\progra~1\Bandoo\Plugins\AIM\Resources\HTML\error.html
c:\progra~1\Bandoo\Plugins\AIM\Resources\HTML\sorry_sample.jpg
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\BandooToolbar.xml
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\BandooToolbarV7.xml
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1001.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1002.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1003.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1004.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1005.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1006.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1007.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1007.over.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1008.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1008.over.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1009.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1009.over.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1010.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1010.over.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1011.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1011.over.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1012.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\1012.over.dat
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\tlb_center.gif
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\tlb_left.gif
c:\progra~1\Bandoo\Plugins\AIM\Resources\Toolbar\Images\tlb_right.gif
c:\progra~1\Bandoo\Plugins\IE\ieplugin.dll
c:\progra~1\Bandoo\Plugins\IE\Resources\bandoo.js
c:\progra~1\Bandoo\Plugins\IE\Resources\HTML\blank.html
c:\progra~1\Bandoo\Plugins\IE\Resources\HTML\error.html
c:\progra~1\Bandoo\Plugins\IE\Resources\HTML\sorry_sample.jpg
c:\progra~1\Bandoo\Plugins\MSN\msnplugin.dll
c:\progra~1\Bandoo\Plugins\MSN\Resources\HTML\blank.html
c:\progra~1\Bandoo\Plugins\MSN\Resources\HTML\error.html
c:\progra~1\Bandoo\Plugins\MSN\Resources\HTML\sorry_sample.jpg
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\BandooToolbar.xml
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1001.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1002.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1003.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1004.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1005.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1006.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1011.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1012.dat
c:\progra~1\Bandoo\Plugins\MSN\Resources\Toolbar\Images\1013.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\HTML\blank.html
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\HTML\error.html
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\HTML\sorry_sample.jpg
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\BandooToolbar.xml
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\BandooToolbarV9.xml
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1001.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1002.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1003.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1004.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1005.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1006.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1051.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1052.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1053.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1054.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1055.dat
c:\progra~1\Bandoo\Plugins\Yahoo\Resources\Toolbar\Images\1056.dat
c:\progra~1\Bandoo\Plugins\Yahoo\YahooPlugin.dll
c:\progra~1\Bandoo\PreUninstall.exe
c:\progra~1\Bandoo\Resources\BandooMessages.xml
c:\progra~1\Bandoo\Resources\downloading.gif
c:\progra~1\Bandoo\Resources\nudge0.wav
c:\progra~1\Bandoo\Resources\nudge1.wav
c:\progra~1\Bandoo\Resources\nudge2.wav
c:\progra~1\Bandoo\Resources\nudge3.wav
c:\progra~1\Bandoo\Resources\nudge4.wav
c:\progra~1\Bandoo\Resources\nudge5.wav
c:\progra~1\Bandoo\Resources\tutorial\images\bottomBg.gif
c:\progra~1\Bandoo\Resources\tutorial\images\close.gif
c:\progra~1\Bandoo\Resources\tutorial\images\contentBg.gif
c:\progra~1\Bandoo\Resources\tutorial\images\installation_page_frame.swf
c:\progra~1\Bandoo\Resources\tutorial\images\screen.jpg
c:\progra~1\Bandoo\Resources\tutorial\images\startMenuTopText.gif
c:\progra~1\Bandoo\Resources\tutorial\images\topBg.gif
c:\progra~1\Bandoo\Resources\tutorial\images\what_next.gif
c:\progra~1\Bandoo\Resources\tutorial\tutorial.html
c:\progra~1\Bandoo\UNWISE.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Bandoo_Coordinator
-------\Service_Bandoo Coordinator


((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 10:41 . 2010-03-16 10:41 388096 ----a-r- c:\documents and settings\user.OWNER-65287C04B\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-16 10:41 . 2010-03-16 10:41 -------- d-----w- c:\program files\TrendMicro
2010-03-16 09:43 . 2010-03-16 09:43 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Malwarebytes
2010-03-16 09:43 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 09:43 . 2010-03-16 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-16 09:43 . 2010-03-16 09:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 09:43 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 12:03 . 2010-03-15 12:03 -------- d-----w- c:\program files\Microsoft.NET
2010-03-15 09:22 . 2010-03-15 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\C2AF
2010-03-14 18:11 . 2010-03-14 18:11 74544 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 13:12 . 2010-03-14 13:38 50354 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\uninstall.exe
2010-03-14 13:12 . 2010-03-14 13:12 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook
2010-03-13 18:12 . 2010-03-13 18:12 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Mozilla
2010-03-13 16:54 . 2010-03-13 16:54 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\bearsharemediabartb
2010-03-13 16:46 . 2010-03-13 16:55 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Yahoo
2010-03-13 16:45 . 2010-03-13 16:45 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Bandoo
2010-03-13 16:41 . 2010-03-13 16:41 -------- d-----w- c:\documents and settings\TEMP
2010-03-13 11:12 . 2010-03-13 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\171A5
2010-03-12 11:34 . 2010-03-12 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\1E0
2010-03-12 02:47 . 2010-03-12 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\1630D
2010-03-11 11:24 . 2010-03-11 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\17251
2010-03-11 05:55 . 2010-03-11 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\222BF
2010-03-11 03:12 . 2010-03-11 03:12 -------- d-----w- c:\program files\SweetIM
2010-03-11 03:12 . 2010-03-11 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SweetIM
2010-03-11 02:58 . 2010-03-11 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\2B3A
2010-03-11 02:10 . 2010-03-11 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\2638A
2010-03-10 10:47 . 2007-01-29 04:56 5997613 ----a-w- C:\FarmvilleMagicTools13.zip
2010-03-10 08:35 . 2010-03-11 02:27 -------- d-----w- C:\My Downloads
2010-03-10 08:31 . 2010-03-10 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\21251
2010-03-09 09:18 . 2010-03-09 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\3B251
2010-03-08 08:51 . 2010-03-08 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\B271
2010-03-08 04:22 . 2010-03-08 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\335D
2010-03-07 15:50 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-07 10:26 . 2010-03-07 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\301E4
2010-03-06 12:00 . 2010-03-06 12:00 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SAZYV
2010-03-06 12:00 . 2010-02-25 14:49 457688 ----a-w- c:\documents and settings\All Users\Application Data\0bfda88\sqlite3.dll
2010-03-06 12:00 . 2010-02-25 14:49 714200 ----a-w- c:\documents and settings\All Users\Application Data\0bfda88\mozcrt19.dll
2010-03-06 11:57 . 2010-03-06 12:00 5790208 ----a-w- c:\documents and settings\All Users\Application Data\0bfda88\SA0bfd.exe
2010-03-06 11:57 . 2010-03-06 12:00 -------- d-sh--w- c:\documents and settings\All Users\Application Data\0bfda88
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-03-05 14:02 . 2004-08-03 16:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-05 14:02 . 2004-08-03 16:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-04 07:18 . 2010-03-04 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-02 11:43 . 2010-03-02 11:43 -------- d-----w- C:\logs
2010-03-02 11:43 . 2010-03-02 11:43 -------- d-----w- c:\documents and settings\user\ChikkaDefault
2010-03-01 09:58 . 2010-03-01 09:58 40 ----a-w- c:\windows\RSoftInfo.dat
2010-02-28 13:08 . 2010-02-28 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Bandoo
2010-02-28 01:38 . 2010-02-28 01:39 -------- d-----w- c:\program files\BearShare Applications
2010-02-26 07:00 . 2010-02-26 07:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-26 07:00 . 2010-02-26 07:00 -------- d-----w- c:\program files\Vimicro
2010-02-24 22:31 . 2010-02-24 22:31 -------- d-----w- c:\windows\Sun
2010-02-24 15:30 . 2010-02-24 15:30 -------- d-----w- c:\program files\HP
2010-02-24 15:29 . 2007-03-08 04:20 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-02-24 15:29 . 2007-03-08 04:20 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-02-24 15:29 . 2010-02-24 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-02-24 15:29 . 2007-03-30 15:07 267864 ----a-r- c:\windows\system32\hpzids01.dll
2010-02-24 15:29 . 2007-03-28 06:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2010-02-24 15:29 . 2007-03-28 05:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2010-02-24 15:28 . 2007-03-08 04:20 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-02-24 15:28 . 2004-08-03 15:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-02-24 15:28 . 2004-08-03 15:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-02-24 15:28 . 2010-02-26 07:01 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-24 15:27 . 2007-03-17 16:11 303104 ----a-r- c:\windows\system32\hpovst10.dll
2010-02-24 15:27 . 2007-03-08 04:20 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-02-24 15:27 . 2007-03-08 04:20 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-02-24 15:27 . 2007-03-17 16:11 675840 ----a-r- c:\windows\system32\hpowiax3.dll
2010-02-24 15:27 . 2007-03-17 16:11 569344 ----a-r- c:\windows\system32\hpotscl3.dll
2010-02-24 15:27 . 2004-08-03 14:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-02-24 15:27 . 2004-08-03 14:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-24 15:24 . 2004-08-03 15:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-24 15:24 . 2004-08-03 15:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-24 13:53 . 2004-08-03 23:56 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-24 08:28 . 2010-02-24 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-24 08:24 . 2010-02-24 08:24 -------- d-----w- c:\program files\Bonjour
2010-02-24 08:17 . 2010-02-24 08:17 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-24 08:14 . 2004-08-03 15:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-02-24 08:02 . 2001-08-17 05:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-02-24 08:02 . 2001-08-17 05:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-02-24 08:02 . 2001-08-17 06:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-02-24 08:02 . 2001-08-17 06:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 04:31 . 2010-03-14 04:31 -------- d-----w- c:\program files\Photodex Presenter
2010-03-14 04:31 . 2010-03-14 04:31 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Netscape
2010-03-14 04:31 . 2010-03-14 04:31 131072 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Netscape\Plugins\npPxPlay.dll
2010-03-14 04:31 . 2010-03-14 04:31 131072 ----a-w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Mozilla\Plugins\npPxPlay.dll
2010-03-14 04:31 . 2010-03-14 04:31 -------- d-----w- c:\program files\Photodex
2010-03-14 04:30 . 2010-03-14 04:30 -------- d-----w- c:\documents and settings\user.OWNER-65287C04B\Application Data\Photodex
2010-03-13 16:46 . 2010-03-13 16:44 -------- d--h--r- c:\documents and settings\user.OWNER-65287C04B\Application Data\yahoo!
2010-03-04 07:19 . 2010-02-21 07:19 -------- d-----w- c:\program files\Yahoo!
2010-03-04 07:18 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-25 13:25 . 2010-02-21 04:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-24 08:25 . 2010-02-21 07:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-21 08:09 . 2010-02-21 08:09 -------- d-----w- c:\program files\Common Files\LightScribe
2010-02-21 08:06 . 2010-02-21 08:03 -------- d-----w- c:\program files\Common Files\Ahead
2010-02-21 08:03 . 2010-02-21 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-02-21 08:03 . 2010-02-21 08:03 -------- d-----w- c:\program files\Nero
2010-02-21 07:49 . 2010-02-21 07:41 -------- d-----w- c:\program files\Microsoft Encarta
2010-02-21 07:33 . 2010-02-21 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-21 07:32 . 2010-02-21 07:32 -------- d-----w- c:\program files\Microsoft Works
2010-02-21 07:32 . 2010-02-21 07:32 -------- d-----w- c:\program files\MSBuild
2010-02-21 07:27 . 2010-02-21 07:25 -------- d-----w- c:\program files\GameHouse
2010-02-21 07:23 . 2010-02-21 07:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 07:23 . 2010-02-21 07:23 -------- d-----w- c:\program files\Java
2010-02-21 07:21 . 2010-02-21 07:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-21 07:21 . 2010-02-21 07:21 0 ----a-w- c:\windows\nsreg.dat
2010-02-21 07:21 . 2010-02-21 07:21 -------- d-----w- c:\program files\Winamp
2010-02-21 07:10 . 2010-02-21 07:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-21 07:01 . 2010-02-21 07:01 -------- d-----w- c:\program files\Chikka Messenger
2010-02-21 06:47 . 2010-02-21 06:47 -------- d-----w- c:\program files\USB Disk Security
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\program files\McAfee
2010-02-21 04:46 . 2010-02-21 04:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-21 04:30 . 2010-02-21 04:30 -------- d-----w- c:\program files\microsoft frontpage
2010-02-21 04:27 . 2010-02-21 04:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-21 04:27 . 2010-02-21 04:27 -------- d-----w- c:\program files\Windows Media Connect 2
.

((((((((((((((((((((((((((((( SnapShot@2010-03-16_10.33.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-16 11:20 . 2010-03-16 11:20 16384 c:\windows\temp\Perflib_Perfdata_428.dat
+ 2010-03-16 10:41 . 2010-03-16 10:41 1093632 c:\windows\Installer\7133a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847} "= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}]
2009-12-20 09:51 87480 ----a-w- c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2009-12-27 06:30 504248 ----a-w- c:\program files\BearShare Applications\MediaBar\DataMngr\IEBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 08:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0974BA1E-64EC-11DE-B2A5-E43756D89593} "= "c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll" [2009-12-20 87480]
"{EEE6C35B-6118-11DC-9C72-001320C79847} "= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847} "= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]
"Google Update "= "c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-14 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE "= "c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI "= "c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"RTHDCPL "= "RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel "= "SkyTel.EXE" [2007-04-04 1822720]
"USB Antivirus "= "c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"VMSnap3 "= "c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Domino "= "c:\windows\Domino.EXE" [2006-06-28 49152]
"DataMngr "= "c:\program files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe" [2009-12-27 184760]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SweetIM "= "c:\program files\SweetIM\Messenger\SweetIM.exe" [2010-02-24 111928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix "= "shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-11 18:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-04 02:39 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 05:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-02-16 18:30 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-05-04 02:59 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-01-08 17:53 8523776 ----a-r- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-01-08 17:53 81920 ----a-r- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-21 07:23 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Documents and Settings\\All Users\\Application Data\\0bfda88\\SA0bfd.exe "=

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2/21/2010 1:10 PM 39424]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2/26/2010 3:01 PM 428160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 05:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-299502267-725345543-1003Core.job
- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-14 12:05]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-299502267-725345543-1003UA.job
- c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-14 12:05]
.
.
------- Supplementary Scan -------
.
uStart Page = bearshare.com
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = hxxp://search.yahoo.com/search?fr=msgr-buddy&ei=UTF-8&p=qatar%20jobs
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user.OWNER-65287C04B\Application Data\Mozilla\Firefox\Profiles\hg6bw2cv.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZNman000&ptb=8VCZDoVGDqUS42qvh_8ioQ&psa=&ind=2010030804&ptnrS=ZNman000&si=&st=kwd&n=77cea2d4&searchfor=
FF - plugin: c:\documents and settings\user.OWNER-65287C04B\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\user.OWNER-65287C04B\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{EB5CEE80-030A-4ED8-8E20-454E9C68380F} - c:\program files\Bandoo\Plugins\IE\ieplugin.dll
AddRemove-Bandoo - c:\program files\Bandoo\PreUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 19:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(508)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\RTHDCPL.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\documents and settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-16 19:22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-16 11:22
ComboFix2.txt 2010-03-16 10:35

Pre-Run: 35,698,757,632 bytes free
Post-Run: 35,594,522,624 bytes free

- - End Of File - - B97A16FE01528BF1D5E5B5C060455F8A

 

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:24:26 PM, on 3/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.yahoo.com/search?fr=msgr-buddy&ei=UTF-8&p=qatar jobs
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\MediaBar\DataMngr\IEBHO.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [DataMngr] C:\Program Files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe "
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user.OWNER-65287C04B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8492 bytes

 

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

c:\documents and settings\All Users\Application Data\171A5
c:\documents and settings\All Users\Application Data\1E0
c:\documents and settings\All Users\Application Data\1630D
c:\documents and settings\All Users\Application Data\17251
c:\documents and settings\All Users\Application Data\222BF
c:\documents and settings\All Users\Application Data\2B3A
c:\documents and settings\All Users\Application Data\2638A
c:\documents and settings\All Users\Application Data\21251
c:\documents and settings\All Users\Application Data\3B251
c:\documents and settings\All Users\Application Data\B271
c:\documents and settings\All Users\Application Data\335D
c:\windows\system32\wmpns.dll
c:\documents and settings\All Users\Application Data\301E4
c:\documents and settings\All Users\Application Data\SAZYV
c:\documents and settings\All Users\Application Data\0bfda88\sqlite3.dll
c:\documents and settings\All Users\Application Data\0bfda88\mozcrt19.dll
c:\documents and settings\All Users\Application Data\0bfda88\SA0bfd.exe
c:\documents and settings\All Users\Application Data\0bfda88

===================

I will check back later as I am off to bed now.

 

The files are Macromedia files and found nothing.

There's no log or something but all scanners said they found nothing

 

No worries . Can you please update MBA-M and give it a run. Let me know what is found and how the computer is running.

 

It seems our computer is fine but it needs to be confirmed by you. Hope Im not making you worry because I have some duties in the hospital.

MBAM as requested.

Malwarebytes' Anti-Malware 1.44
Database version: 3872
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

3/23/2010 7:56:25 PM
mbam-log-2010-03-23 (19-56-25).txt

Scan type: Full Scan
Objects scanned: 128730
Time elapsed: 56 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

Ok then. Let's run an on-line scan to be sure the pc is as clean as we can tell.

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color= "blue"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color= "#3333FF"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • [color= "#6666CC"]Extended[/color]
  • Scan Options:
    • [color= "#6666CC"]Scan Archives[/color]
    • [color= "#6666CC"]Scan Mail Bases[/color]
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the [color= "Navy"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color= "Navy"]Save as [/color]prompt, [color= "navy"]Save in[/color] area, select: Desktop
In the [color= "navy"]File name[/color] area, use KScan, or something similar
In [color= "navy"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color= "Navy"]Kaspersky Online Scanner Report [/color]in your reply.