1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] Web Browser Search Engine Redirect

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by shemadavid, Jan 27, 2010.

  1. shemadavid

    shemadavid Techie7 New Member

    Hi,

    I have Windows 7 and am having problems with chrome & firefox search results redirecting to the incorrect sites. Any help would be greatly appreciated as I can't seem to find a solution.

    I have ran a full scan with search & destroy but the problem is still there.

    I have also used spyware doctor & malwarebytes anti-malware but to no avail.

    My HiJackthis log is:

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 20:18:38, on 27/01/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
    C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
    C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\RescueTime\RescueTime.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
    C:\Windows\system32\calc.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT

    \PCTBrowserDefender.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy

    \SDHelper.dll
    O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Program Files\DIALux

    \DLXShellExtension.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin

    \jp2ssv.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT

    \PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"

    -launchedbylogin
    O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
    O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
    O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"
    O4 - HKLM\..\Run: [FontExpertType1Loader] C:\Program Files\FontExpert\Type1Loader.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Users\upstaris\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: OOo-dev 3.2.lnk = C:\Program Files\OOo-dev 3\program\quickstart.exe
    O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Startup: RescueTime.lnk = C:\Program Files\RescueTime\RescueTime.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy

    \SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:

    \Program Files\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O13 - Gopher Prefix:
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software

    \Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared

    \FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search &

    Destroy\SDWinSec.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA

    Corporation\3D Vision\nvSCPAPISvr.exe
    O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-

    ufad.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation

    \vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
    O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware

    \USB\vmware-usbarbitrator.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
    O23 - Service: wampapache - Apache Software Foundation - c:\wamp2\bin\apache\apache2.2.11\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - c:\wamp2\bin\mysql\mysql5.1.36\bin

    and mu uninstall list is:

    Acrobat.com
    Acrobat.com
    Ad-Aware
    Ad-Aware
    Adobe After Effects CS4
    Adobe After Effects CS4 Presets
    Adobe After Effects CS4 Third Party Content
    Adobe AIR
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Recommended Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Extra Settings CS4
    Adobe Color Video Profiles AE CS4
    Adobe Color Video Profiles CS CS4
    Adobe Creative Suite 4 Master Collection
    Adobe Creative Suite 4 Master Collection
    Adobe CS4 American English Speech Analysis Models
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Dreamweaver CS4
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe Encore CS4 Codecs
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe InDesign CS4
    Adobe InDesign CS4 Application Feature Set Files (Roman)
    Adobe InDesign CS4 Common Base Files
    Adobe InDesign CS4 Icon Handler
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Encoder CS4 Additional Exporter
    Adobe Media Encoder CS4 Dolby
    Adobe Media Encoder CS4 Exporter
    Adobe Media Encoder CS4 Importer
    Adobe Media Player
    Adobe Media Player
    Adobe MotionPicture Color Files CS4
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Premiere Pro CS4
    Adobe Premiere Pro CS4 Functional Content
    Adobe Premiere Pro CS4 Third Party Content
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe SGM CS4
    Adobe SING CS4
    Adobe Soundbooth CS4 Codecs
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    AI Suite
    Apple Application Support
    Apple Software Update
    avast! Antivirus
    Browser Defender 2.0.6.10
    Connect
    DIALux 4.7
    eM Client
    EOS Camera Movie Record 0.1.9 Beta 3
    Express Rip
    FileZilla Client 3.3.1
    FontExpert 2009
    Foxit Reader
    Free Easy Burner V 3.9
    HiJackThis
    ImgBurn
    Java(TM) 6 Update 16
    Java(TM) 6 Update 17
    kuler
    Magic ISO Maker v5.5 (build 0276)
    Malwarebytes' Anti-Malware
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.5.7)
    Mozilla Thunderbird (2.0.0.23)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Notepad++
    NVIDIA Drivers
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    OOo-dev 3.2
    Ooyala Backlot
    Ooyala Backlot
    OpenOffice.org 3.1
    OpenOffice.org 3.1 Language Pack (English (United Kingdom))
    Paragon Partition Managerâ„¢ 10.0 Personal
    PDF Settings CS4
    Photoshop Camera Raw
    Pismo File Mount Audit Package
    Pixel ****** Toolkit
    PL-2303 USB-to-Serial
    POV-Ray for Windows v3.6.0
    QuickTime
    RescueTime 2.1.0
    Revo Uninstaller 1.83
    SmartFTP Client
    SmartFTP Client 4.0 Setup Files (remove only)
    Spotify
    Spybot - Search & Destroy
    Spyware Doctor 7.0
    Steam
    STREET FIGHTER IV
    Suite Shared Configuration CS4
    Switch Sound File Converter
    tools-freebsd
    tools-linux
    tools-netware
    tools-solaris
    tools-windows
    tools-winPre2k
    Topaz Adjust 3
    VLC media player 1.0.3
    VMware Workstation
    VMware Workstation
    WampServer 2.0
    WinRAR archiver

    Thanks a lot for any help!
     
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please, disable "word wrap" in Notepad, because your log is hard to read.

    Don't use HJT 2.03 (beta). Uninstall your version. Download 2.0.2 version from the link, I provided below...

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    HijackThis - Trend Micro USA
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  3. shemadavid

    shemadavid Techie7 New Member

    Thanks for your quick response.

    ComboFix 10-01-28.05 - upstaris 29/01/2010 11:17:18.1.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3327.2254 [GMT 0:00]
    Running from: c:\users\upstaris\Desktop\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\install.exe
    c:\recycler\S-1-5-21-1935655697-1417001333-1801674531-1003
    c:\recycler\S-1-5-21-448539723-57989841-725345543-1003
    C:\Thumbs.db
    c:\windows\Fonts\MyriadPro-Regular.otf

    c:\windows\System32\isoburn.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))
    .

    2010-01-29 11:28 . 2010-01-29 11:29 -------- d-----w- c:\users\upstaris\AppData\Local\temp
    2010-01-29 11:28 . 2010-01-29 11:28 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-01-28 20:19 . 2010-01-28 20:19 -------- d-----w- c:\users\upstaris\AppData\Local\Cooliris
    2010-01-28 03:01 . 2009-09-04 17:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
    2010-01-28 03:01 . 2009-09-04 17:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
    2010-01-27 14:39 . 2010-01-27 14:39 -------- d-----w- c:\program files\TrendMicro
    2010-01-27 13:11 . 2010-01-29 10:54 -------- d-----w- c:\programdata\Lavasoft
    2010-01-27 11:18 . 2010-01-27 11:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-01-27 11:18 . 2010-01-27 11:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-27 11:11 . 2010-01-27 11:11 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-27 10:57 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
    2010-01-27 10:57 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
    2010-01-27 00:08 . 2009-10-08 13:14 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
    2010-01-27 00:08 . 2009-10-08 13:14 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
    2010-01-27 00:08 . 2009-10-08 13:14 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
    2010-01-26 23:35 . 2009-09-24 08:55 97208 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
    2010-01-26 23:35 . 2009-09-24 08:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2010-01-26 23:35 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2010-01-26 23:35 . 2009-09-23 16:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2010-01-26 23:35 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2010-01-26 23:35 . 2010-01-29 11:12 -------- d-----w- c:\program files\Spyware Doctor
    2010-01-26 23:35 . 2010-01-27 00:08 -------- d-----w- c:\programdata\PC Tools
    2010-01-26 23:35 . 2010-01-26 23:38 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-01-26 23:35 . 2010-01-26 23:35 -------- d-----w- c:\users\upstaris\AppData\Roaming\PC Tools
    2010-01-24 18:20 . 2010-01-24 18:21 -------- d-----w- c:\program files\POV-Ray for Windows v3.6
    2010-01-24 18:18 . 2006-08-01 14:09 1966080 ----a-w- c:\windows\system32\cdintf251.dll
    2010-01-24 18:18 . 2009-02-16 16:13 3833856 ----a-w- c:\windows\system32\cdintf300.dll
    2010-01-24 18:16 . 2010-01-24 21:03 -------- d-----w- c:\programdata\DIALux
    2010-01-24 18:16 . 2010-01-24 18:19 -------- d-----w- c:\program files\DIALux
    2010-01-24 18:16 . 2010-01-24 18:17 -------- d-----w- c:\program files\Common Files\DIALux
    2010-01-24 18:16 . 2010-01-24 18:16 -------- d-----w- c:\windows\DIALux
    2010-01-22 09:28 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-01-21 12:14 . 2010-01-21 12:14 -------- d-----w- c:\users\upstaris\AppData\Roaming\Malwarebytes
    2010-01-21 12:14 . 2010-01-21 12:14 -------- d-----w- c:\programdata\Malwarebytes
    2010-01-21 09:39 . 2010-01-21 09:39 -------- d-----w- c:\users\upstaris\AppData\Roaming\Foxit
    2010-01-21 09:39 . 2010-01-21 09:39 -------- d-----w- c:\program files\Foxit Software
    2010-01-20 19:06 . 2010-01-20 19:06 -------- d-----w- c:\program files\Topaz Labs
    2010-01-20 12:58 . 2010-01-20 12:58 -------- d-----w- c:\program files\eos_movrec
    2010-01-17 19:43 . 2010-01-17 19:43 -------- d-----w- c:\programdata\NCH Swift Sound
    2010-01-17 19:43 . 2010-01-17 19:44 -------- d-----w- c:\users\upstaris\AppData\Roaming\NCH Swift Sound
    2010-01-17 19:43 . 2010-01-17 19:43 -------- d-----w- c:\program files\NCH Software
    2010-01-17 19:43 . 2010-01-17 19:43 -------- d-----w- c:\program files\NCH Swift Sound
    2010-01-16 09:14 . 2010-01-16 12:06 -------- d-----w- c:\users\upstaris\AppData\Roaming\VMware
    2010-01-16 09:11 . 2010-01-16 09:11 909320 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\uninstall.exe
    2010-01-16 09:11 . 2010-01-16 09:11 625200 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\instUtils.dll
    2010-01-16 09:11 . 2010-01-16 09:05 360448 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\module_license.dll
    2010-01-16 09:11 . 2010-01-16 09:05 331776 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\module_ws.dll
    2010-01-16 09:11 . 2010-01-16 09:05 569344 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\module_core.dll
    2010-01-16 09:11 . 2010-01-16 09:05 760368 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib.dll
    2010-01-16 09:11 . 2010-01-16 09:05 958000 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib64.dll
    2010-01-16 09:11 . 2010-01-16 09:05 922672 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib64.exe
    2010-01-16 09:11 . 2010-01-16 09:05 703024 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vnetlib.exe
    2010-01-16 09:11 . 2010-01-16 09:05 731696 ----a-w- c:\programdata\VMware\VMware Workstation\Uninstaller\vminstutil.dll
    2010-01-16 09:10 . 2009-10-22 00:13 59952 ----a-w- c:\windows\system32\vnetinst.dll
    2010-01-16 09:10 . 2009-10-22 00:13 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys
    2010-01-16 09:10 . 2009-10-22 04:59 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
    2010-01-16 09:10 . 2009-10-22 05:00 395824 ----a-w- c:\windows\system32\vmnat.exe
    2010-01-16 09:10 . 2009-10-22 05:00 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
    2010-01-16 09:10 . 2009-10-22 00:13 51248 ----a-r- c:\windows\system32\vmnetbridge.dll
    2010-01-16 09:10 . 2009-10-22 00:13 36400 ----a-r- c:\windows\system32\drivers\vmnetbridge.sys
    2010-01-16 09:10 . 2009-10-22 00:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
    2010-01-16 09:10 . 2009-10-22 05:00 760368 ----a-w- c:\windows\system32\vnetlib.dll
    2010-01-16 09:09 . 2009-10-22 05:00 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
    2010-01-16 09:08 . 2010-01-16 09:08 -------- d-----w- c:\program files\Common Files\VMware
    2010-01-16 09:07 . 2010-01-29 11:10 -------- d-----w- c:\programdata\VMware
    2010-01-16 09:06 . 2010-01-16 09:06 -------- d-----w- c:\program files\VMware
    2010-01-16 08:44 . 2010-01-16 08:44 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-01-16 08:44 . 2010-01-16 08:44 -------- d-----w- c:\program files\DAEMON Tools Lite
    2010-01-16 08:43 . 2010-01-27 18:36 -------- d-----w- c:\users\upstaris\AppData\Roaming\DAEMON Tools Lite
    2010-01-16 08:43 . 2010-01-16 08:43 -------- d-----w- c:\programdata\DAEMON Tools Lite
    2010-01-15 16:07 . 2010-01-15 16:07 -------- d-----w- c:\program files\MagicISO
    2010-01-15 07:31 . 2010-01-15 07:31 -------- d-----w- c:\programdata\newos
    2010-01-15 07:06 . 2010-01-15 07:06 -------- d-----w- c:\programdata\deletepart
    2010-01-15 04:26 . 2010-01-15 04:26 -------- d-----w- c:\programdata\createpart
    2010-01-15 04:26 . 2010-01-15 04:26 -------- d-----w- c:\programdata\explauncher
    2010-01-15 04:25 . 2010-01-15 04:25 -------- d-----w- c:\programdata\launcher
    2010-01-14 16:11 . 2010-01-15 08:42 -------- d-----w- c:\users\upstaris\AppData\Roaming\ImgBurn
    2010-01-14 16:11 . 2010-01-14 16:11 -------- d-----w- c:\program files\ImgBurn
    2010-01-14 12:36 . 2009-09-29 13:06 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
    2010-01-14 12:36 . 2010-01-29 10:54 -------- dc----w- c:\windows\system32\DRVSTORE
    2010-01-14 12:36 . 2010-01-14 12:36 -------- d-----w- c:\program files\Paragon Software
    2010-01-14 10:27 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
    2010-01-14 10:27 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-29 11:11 . 2009-12-08 18:32 -------- d-----w- c:\program files\Steam
    2010-01-29 11:10 . 2009-11-04 22:45 -------- d-----w- c:\programdata\NVIDIA
    2010-01-29 10:56 . 2009-11-07 17:38 -------- d-----w- c:\users\upstaris\AppData\Roaming\vlc
    2010-01-28 22:23 . 2009-11-23 14:17 -------- d-----w- c:\users\upstaris\AppData\Roaming\Spotify
    2010-01-28 19:51 . 2009-11-12 12:27 -------- d-----w- c:\users\upstaris\AppData\Roaming\FileZilla
    2010-01-27 12:35 . 2009-11-05 02:58 -------- d-----w- c:\users\upstaris\AppData\Roaming\eM Client
    2010-01-27 12:34 . 2009-11-05 02:58 -------- d-----w- c:\program files\eM Client
    2010-01-26 20:33 . 2009-11-05 02:37 -------- d-----w- c:\program files\eclipse
    2010-01-23 20:06 . 2009-11-04 22:27 90432 ----a-w- c:\users\upstaris\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-01-21 14:40 . 2009-12-04 15:24 1 ----a-w- c:\users\upstaris\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-01-21 09:39 . 2009-11-06 02:33 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-01-20 21:41 . 2009-11-05 02:09 -------- d-----w- c:\program files\Common Files\Adobe
    2010-01-20 13:01 . 2010-01-20 13:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2010-01-18 18:35 . 2009-11-27 22:50 -------- d-----w- c:\users\upstaris\AppData\Roaming\dvdcss
    2010-01-16 07:33 . 2009-12-09 10:53 -------- d-----w- c:\program files\Free Easy Burner
    2010-01-14 12:32 . 2009-11-12 12:27 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-01-14 11:12 . 2009-11-05 06:04 181120 ------w- c:\windows\system32\MpSigStub.exe
    2009-12-17 22:44 . 2009-12-17 22:44 -------- d-----w- c:\users\upstaris\AppData\Roaming\com.ooyala.backlot.9DCE59B19CC46B6A4801BF98F6143EBC7EFD03F0.1
    2009-12-17 22:44 . 2009-12-17 22:44 -------- d-----w- c:\program files\Ooyala Backlot
    2009-12-17 22:44 . 2009-12-17 22:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2009-12-17 20:21 . 2009-12-17 22:44 38784 ----a-w- c:\users\upstaris\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-12-17 20:21 . 2009-12-17 22:44 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-12-12 11:26 . 2009-12-12 11:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
    2009-12-10 03:00 . 2009-12-10 03:00 -------- d-----w- c:\program files\MSXML 4.0
    2009-12-09 19:59 . 2009-12-09 19:59 -------- d-----w- c:\program files\CAPCOM
    2009-12-09 19:58 . 2009-12-09 19:58 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
    2009-12-09 17:59 . 2009-07-13 23:11 406528 ----a-w- c:\windows\system32\msvcp60.dll
    2009-12-09 17:57 . 2009-07-13 20:30 8704 ----a-w- c:\windows\Fonts\ega40857.fon
    2009-12-09 15:31 . 2009-12-09 15:31 -------- d-----w- c:\program files\RescueTime
    2009-12-08 18:32 . 2009-12-08 18:32 -------- d-----w- c:\program files\Common Files\Steam
    2009-12-07 15:54 . 2009-11-05 04:32 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-12-05 17:29 . 2009-12-05 17:29 -------- d-----w- c:\program files\Common Files\Apple
    2009-12-05 17:28 . 2009-12-05 17:28 -------- d-----w- c:\program files\QuickTime
    2009-12-05 17:28 . 2009-12-05 17:28 -------- d-----w- c:\programdata\Apple Computer
    2009-12-05 16:49 . 2009-11-15 19:24 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2009-12-04 15:24 . 2009-12-04 15:24 -------- d-----w- c:\users\upstaris\AppData\Roaming\OpenOffice.org
    2009-12-04 15:16 . 2009-12-04 15:16 -------- d-----w- c:\program files\JRE
    2009-12-04 15:16 . 2009-12-04 15:16 -------- d-----w- c:\program files\OpenOffice.org 3
    2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
    2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
    2009-11-25 16:36 . 2009-11-05 04:24 723248 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2009-11-24 23:54 . 2009-11-04 23:13 1280480 ----a-w- c:\windows\system32\aswBoot.exe
    2009-11-24 23:49 . 2009-11-04 23:13 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2009-11-24 23:48 . 2009-11-04 23:13 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2009-11-24 23:47 . 2009-11-04 23:13 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2009-11-19 11:48 . 2009-12-01 13:25 872960 ----a-w- c:\users\upstaris\AppData\Roaming\Mozilla\Firefox\Profiles\tswn3hit.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2009-11-19 11:48 . 2009-12-01 13:25 43008 ----a-w- c:\users\upstaris\AppData\Roaming\Mozilla\Firefox\Profiles\tswn3hit.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2009-11-19 11:48 . 2009-12-01 13:25 340480 ----a-w- c:\users\upstaris\AppData\Roaming\Mozilla\Firefox\Profiles\tswn3hit.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2009-11-19 11:48 . 2009-12-01 13:25 346624 ----a-w- c:\users\upstaris\AppData\Roaming\Mozilla\Firefox\Profiles\tswn3hit.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2009-11-18 16:14 . 2009-11-05 04:25 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2009-11-15 19:24 . 2009-11-08 18:33 2011912 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2009-11-11 20:04 . 2009-11-09 11:52 1 ----a-w- c:\users\upstaris\AppData\Roaming\OOo-dev\3\user\uno_packages\cache\stamp.sys
    2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
    2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
    2009-11-05 21:36 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
    2009-11-05 03:46 . 2009-11-05 03:46 0 ----a-w- c:\windows\nsreg.dat
    2009-11-04 23:00 . 2009-11-04 23:01 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
    @="{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}"
    [HKEY_CLASSES_ROOT\CLSID\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
    2009-10-14 19:41 150872 ----a-w- c:\windows\System32\pfmshx_359.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\users\upstaris\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-11-04 135664]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "Steam"="c:\program files\Steam\Steam.exe" [2009-12-09 1217808]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-04 149280]
    "avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-11-05 611712]
    "Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2009-07-01 1435136]
    "QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-07-01 601088]
    "Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-11-30 881152]
    "FontExpertType1Loader"="c:\program files\FontExpert\Type1Loader.exe" [2009-03-19 294152]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
    "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009-10-22 129584]

    c:\users\upstaris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OOo-dev 3.2.lnk - c:\program files\OOo-dev 3\program\quickstart.exe [2009-9-26 384000]
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
    RescueTime.lnk - c:\program files\RescueTime\RescueTime.exe [2009-12-9 2379776]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""

    [HKLM\~\startupfolder\C:^Users^upstaris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=c:\users\upstaris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
    backup=c:\windows\pss\MagicDisc.lnk.Startup
    backupExtension=.Startup

    R0 hotcore3;hc3ServiceName;c:\windows\System32\drivers\hotcore3.sys [14/01/2010 12:36 40560]
    R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [26/01/2010 23:35 207280]
    R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [27/01/2010 00:08 51984]
    R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [27/01/2010 00:08 59664]
    R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [04/11/2009 23:13 114768]
    R1 pfmfs_359;pfmfs_359;c:\windows\System32\drivers\pfmfs_359.sys [05/11/2009 02:07 185048]
    R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [04/11/2009 23:13 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [04/11/2009 23:13 53328]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [27/09/2009 16:48 240232]
    R2 vmci;VMware vmci;c:\windows\System32\drivers\vmci.sys [22/10/2009 05:00 70704]
    R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/10/2009 03:47 563760]
    S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [16/01/2010 08:44 691696]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [27/01/2010 11:18 1153368]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [26/01/2010 23:35 358600]
    S3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [27/01/2010 00:08 33552]
    S4 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [26/01/2010 23:35 229304]
    S4 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [26/01/2010 23:35 70408]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2114085335-3892171782-2411487453-1001Core.job
    - c:\users\upstaris\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-04 22:41]

    2010-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2114085335-3892171782-2411487453-1001UA.job
    - c:\users\upstaris\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-04 22:41]
    .
    .
    ------- Supplementary Scan -------
    .
    LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
    FF - ProfilePath - c:\users\upstaris\AppData\Roaming\Mozilla\Firefox\Profiles\tswn3hit.default\
    FF - component: c:\users\upstaris\AppData\Roaming\Mozilla\Firefox\Profiles\tswn3hit.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\users\upstaris\AppData\Roaming\Mozilla\Firefox\Profiles\tswn3hit.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\users\upstaris\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-AdobeBridge - (no file)


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-01-29 11:34:14
    ComboFix-quarantined-files.txt 2010-01-29 11:34

    Pre-Run: 6,832,914,432 bytes free
    Post-Run: 8,351,866,880 bytes free

    - - End Of File - - 186E4121BFD174B6A3A667FCD0B97FCA




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:41:31, on 29/01/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
    C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\explorer.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\upstaris\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Program Files\DIALux\DLXShellExtension.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
    O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
    O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"
    O4 - HKLM\..\Run: [FontExpertType1Loader] C:\Program Files\FontExpert\Type1Loader.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Users\upstaris\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: OOo-dev 3.2.lnk = C:\Program Files\OOo-dev 3\program\quickstart.exe
    O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Startup: RescueTime.lnk = C:\Program Files\RescueTime\RescueTime.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
    O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
    O23 - Service: wampapache - Apache Software Foundation - c:\wamp2\bin\apache\apache2.2.11\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - c:\wamp2\bin\mysql\mysql5.1.36\bin\mysqld.exe

    --
    End of file - 6880 bytes
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      isoburn.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  5. shemadavid

    shemadavid Techie7 New Member

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 01:40 on 30/01/2010 by upstaris (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "isoburn.exe"
    C:\Windows\System32\isoburn.exe --a--- 86528 bytes [23:40 13/07/2009] [01:14 14/07/2009] C4A5086FFCE4FC9C78683E74E42B1E17
    C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7600.16385_none_e608fd42fa8ed70d\isoburn.exe --a--- 86528 bytes [23:40 13/07/2009] [01:14 14/07/2009] C4A5086FFCE4FC9C78683E74E42B1E17

    -=End Of File=-
     
  6. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Please download The Avenger to your Desktop.

    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the Avenger folder to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Code:
    Begin copying here:
    Files to move:
    C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7600.16385_none_e608f d42fa8ed70d\isoburn.exe | C:\Windows\System32\isoburn.exe
    

    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.


    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:


    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command windowon your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply
     
  7. shemadavid

    shemadavid Techie7 New Member

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    Swandog46's Public Anti-Malware Tools

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: could not open file "C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7600.16385_none_e608f d42fa8ed70d\isoburn.exe" for move operation
    File move operation "C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7600.16385_none_e608f d42fa8ed70d\isoburn.exe|C:\Windows\System32\isoburn.exe" failed!
    Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
    --> bad path / the parent directory does not exist


    Completed script processing.

    *******************

    Finished! Terminate.
     
  8. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Grrrrrrrr....I hate this DAL bug, which creates a space after so many characters. Sorry for that.
    Re-run with this script:

    Code:
    Begin copying here:
    Files to move:
    C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7600.16385_none_e608fd42fa8ed70d\isoburn.exe | C:\Windows\System32\isoburn.exe                                         
     
  9. shemadavid

    shemadavid Techie7 New Member

    no problem!
    trying it now....
     
  10. shemadavid

    shemadavid Techie7 New Member

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    Swandog46's Public Anti-Malware Tools

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File move operation "C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7600.16385_none_e608fd42fa8ed70d\isoburn.exe|C:\Windows\System32\isoburn.exe" completed successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  11. shemadavid

    shemadavid Techie7 New Member

    Just tried a few searches in google and it's not diverting

    Have to go to bed. Thank you so much and i'll check back tomorrow to see if you have any other steps I need to go through. Thanks again for your help, you're incredibly generous with your knowledge and time, it's greatly appreciated.
     
    Last edited: Jan 30, 2010
  12. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Very good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Restart computer.

    ================================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.

    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.

    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!