Ie Custom Tools/ie Saftey Features[RESOLVED]

Takitoes · December 16, 2007

Hello

I lent my Laptop to a friend while i was away for the weekend and i came back to find my Internet Explorer homepage hijacked and loads of pop-ups interfering with my browsing. I looked for programs to uninstall and found the IE Custom Tools/IE Saftey Features in the windows add/remove programs list (i have never seen before and asume they are responsible). When i try to uninstall them it asks me to restart the computer before un-installing and then the same thing after I restart. I completed Norton Antivirus 2007 and Ad-aware 2007 scans to no avail, so here i am. I am running Windows Vista 32 bit version. Any help is greatly appriciated!

Here is my HijackThis Log -

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:07:15 PM, on 16/12/2007

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Video Add-on\isfmntr.exe

C:\Program Files\Video Add-on\isfmm.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\CyberLink\PowerCinema\PCMService.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Video Add-on\isfmm.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Video Add-on\isfmm.exe

C:\Program Files\Creative\MediaSource5\CTDetctu.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe

C:\Users\User\HJT\HJTInstall.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:/Windows/NECCUST/OWR/OWR_EN.HTM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Windows/NECCUST/OWR/OWR_EN.HTM

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014} - C:\Program Files\Video Add-on\isfmdl.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\mattsearch.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - C:\Program Files\Video Add-on\ictmdl.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [skytel] Skytel.exe

O4 - HKLM\..\Run: [CTRegRun] C:\Windows\CTRegRun.EXE

O4 - HKLM\..\RunOnce: [installShieldSetup] C:\PROGRA~1\INSTAL~1\{BEEFC~1\SETUP.EXE -rebootC:\PROGRA~1\INSTAL~1\{BEEFC~1\reboot.ini -l0x9

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s

O4 - HKCU\..\Run: [sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe"

O4 - HKCU\..\RunOnce: [startMSu] "C:\Program Files\Creative\MediaSource5\Startmsu.exe" /s

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 10776 bytes

Thankyou

sarahw · December 18, 2007

Hi,

Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

sarahw · December 18, 2007

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Takitoes · December 21, 2007

Hi there

Sorry for the slow reply, here are the logs you asked for:

-----ComboFix------

ComboFix 07-12-21.4 - User 2007-12-21 14:34:57.1 - NTFSx86

MicrosoftÂ® Windows Vistaâ„¢ Business 6.0.6000.0.1252.1.1033.18.1242 [GMT 0:00]

Running from: C:\Users\User\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\Helper

C:\Program Files\Helper\mattsearch.dll

.

((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))

.

2007-12-16 19:57 . 2007-12-16 20:07 <DIR> d-------- C:\Users\User\HJT

2007-12-16 19:24 . 1999-12-13 09:01 44,032 --a------ C:\Windows\System32\CTSVCCDA.EXE

2007-12-16 18:35 . 2007-12-16 18:35 <DIR> d-------- C:\Users\All Users\Lavasoft

2007-12-16 18:35 . 2007-12-16 18:35 <DIR> d-------- C:\ProgramData\Lavasoft

2007-12-16 18:35 . 2007-12-16 18:35 <DIR> d-------- C:\Program Files\Lavasoft

2007-12-16 18:34 . 2007-12-16 18:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-12-16 18:01 . 2007-12-16 18:12 <DIR> d-------- C:\Program Files\Video Add-on

2007-12-13 16:12 . 2007-12-16 20:29 <DIR> d-------- C:\Users\User\AppData\Roaming\Creative

2007-12-13 15:54 . 1999-10-11 01:00 41,984 --------- C:\Windows\Ctregrun.exe

2007-12-13 15:51 . 1999-11-18 09:00 25,088 --------- C:\Windows\System32\CTSVCCTL.EXE

2007-12-13 15:50 . 2007-12-16 20:05 <DIR> d--h----- C:\Program Files\Creative Installation Information

2007-12-13 15:50 . 2007-12-13 15:50 <DIR> d-------- C:\Program Files\Common Files\Creative

2007-12-13 15:45 . 2007-12-16 20:23 <DIR> d-------- C:\Program Files\Creative

2007-12-12 18:46 . 1999-05-10 01:00 1,384,448 --a------ C:\Windows\System32\temp.000

2007-12-12 02:40 . 2007-12-12 02:40 1,327,104 --a------ C:\Windows\System32\quartz.dll

2007-12-12 02:40 . 2007-12-12 02:40 223,232 --a------ C:\Windows\System32\WMASF.DLL

2007-12-12 02:40 . 2007-12-12 02:40 9,728 --a------ C:\Windows\System32\LAPRXY.DLL

2007-12-12 02:40 . 2007-12-12 02:40 2,048 --a------ C:\Windows\System32\asferror.dll

2007-12-12 02:38 . 2007-12-12 02:38 130,048 --a------ C:\Windows\System32\drivers\srv2.sys

2007-12-12 02:38 . 2007-12-12 02:38 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys

2007-12-12 02:38 . 2007-12-12 02:38 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys

2007-12-12 02:38 . 2007-12-12 02:38 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys

2007-12-12 02:37 . 2007-12-12 02:37 3,504,824 --a------ C:\Windows\System32\ntkrnlpa.exe

2007-12-12 02:37 . 2007-12-12 02:37 3,470,520 --a------ C:\Windows\System32\ntoskrnl.exe

2007-12-12 02:36 . 2007-12-12 02:36 2,048 --a------ C:\Windows\System32\tzres.dll

2007-12-11 23:27 . 2007-12-11 23:29 <DIR> d-------- C:\Users\All Users\DVD Shrink

2007-12-11 23:27 . 2007-12-11 23:29 <DIR> d-------- C:\ProgramData\DVD Shrink

2007-12-11 23:27 . 2007-12-11 23:27 <DIR> d-------- C:\Program Files\DVD Shrink

2007-12-11 20:25 . 2007-12-11 20:25 <DIR> d-------- C:\Program Files\BearShare

2007-12-10 22:26 . 2007-12-10 22:26 <DIR> d-------- C:\Program Files\BearShare Test

2007-12-10 21:56 . 2007-12-10 21:56 2,560 --a------ C:\Windows\_MSRSTRT.EXE

2007-12-10 20:33 . 2007-12-10 20:33 <DIR> d-------- C:\My Downloads

2007-12-10 18:52 . 2007-12-16 22:40 58 --a------ C:\Windows\nfsc_patch.ini

2007-12-04 01:33 . 2007-12-04 01:33 823,296 --a------ C:\Windows\System32\divx_xx0c.dll

2007-12-04 01:33 . 2007-12-04 01:33 823,296 --a------ C:\Windows\System32\divx_xx07.dll

2007-12-04 01:33 . 2007-12-04 01:33 802,816 --a------ C:\Windows\System32\divx_xx11.dll

2007-12-04 01:33 . 2007-12-04 01:33 682,496 --a------ C:\Windows\System32\DivX.dll

2007-12-04 01:33 . 2007-12-04 01:33 630,784 --a------ C:\Windows\System32\divxdec.ax

2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\Windows\System32\drivers\srtspl.sys

2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\Windows\System32\drivers\srtsp.sys

2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\Windows\System32\drivers\srtspx.sys

2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\Windows\System32\drivers\srtspx.cat

2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\Windows\System32\drivers\srtspl.cat

2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\Windows\System32\drivers\srtsp.cat

2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\Windows\System32\drivers\srtspl.inf

2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\Windows\System32\drivers\srtspx.inf

2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\Windows\System32\drivers\srtsp.inf

2007-11-30 17:47 . 2007-11-30 17:47 <DIR> dr-h----- C:\Users\User\AppData\Roaming\SecuROM

2007-11-30 17:47 . 2007-11-30 17:47 108,144 --a------ C:\Windows\System32\CmdLineExt.dll

2007-11-29 22:30 . 2007-11-29 22:30 3,596,288 --a------ C:\Windows\System32\qt-dx331.dll

2007-11-29 22:30 . 2007-11-29 22:30 1,044,480 --a------ C:\Windows\System32\libdivx.dll

2007-11-29 22:30 . 2007-11-29 22:30 524,288 --a------ C:\Windows\System32\DivXsm.exe

2007-11-29 22:30 . 2007-11-29 22:30 200,704 --a------ C:\Windows\System32\ssldivx.dll

2007-11-29 22:30 . 2007-11-29 22:30 4,816 --a------ C:\Windows\System32\divxsm.tlb

2007-11-29 22:28 . 2007-11-29 22:28 196,608 --a------ C:\Windows\System32\dtu100.dll

2007-11-29 22:28 . 2007-11-29 22:28 81,920 --a------ C:\Windows\System32\dpl100.dll

2007-11-29 22:28 . 2007-11-29 22:28 416 --a------ C:\Windows\System32\dtu100.dll.manifest

2007-11-29 22:28 . 2007-11-29 22:28 416 --a------ C:\Windows\System32\dpl100.dll.manifest

2007-11-28 23:26 . 2007-11-28 23:26 <DIR> d-------- C:\temp

2007-11-28 23:20 . 2007-11-28 23:20 <DIR> d-------- C:\Users\All Users\Media Center Programs

2007-11-28 23:20 . 2007-11-28 23:20 <DIR> d-------- C:\ProgramData\Media Center Programs

2007-11-28 22:59 . 2007-11-28 22:59 <DIR> d-------- C:\Program Files\THQ

2007-11-28 22:59 . 2006-09-28 16:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll

2007-11-28 22:59 . 2006-09-28 16:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll

2007-11-28 22:59 . 2006-07-28 09:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll

2007-11-28 22:59 . 2006-09-28 16:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll

2007-11-28 22:59 . 2006-07-28 09:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll

2007-11-28 22:59 . 2006-09-28 16:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll

2007-11-28 22:08 . 2007-11-28 22:08 <DIR> d-------- C:\Users\User\AppData\Roaming\InstallShield

2007-11-28 21:55 . 2007-11-28 21:55 156,992 --a------ C:\Windows\System32\DivXCodecVersionChecker.exe

2007-11-28 21:53 . 2007-11-28 21:53 593,920 --a------ C:\Windows\System32\dpuGUI11.dll

2007-11-28 21:53 . 2007-11-28 21:53 344,064 --a------ C:\Windows\System32\dpus11.dll

2007-11-28 21:53 . 2007-11-28 21:53 294,912 --a------ C:\Windows\System32\dpu11.dll

2007-11-28 21:53 . 2007-11-28 21:53 294,912 --a------ C:\Windows\System32\dpu10.dll

2007-11-28 21:53 . 2007-11-28 21:53 57,344 --a------ C:\Windows\System32\dpv11.dll

2007-11-28 21:53 . 2007-11-28 21:53 53,248 --a------ C:\Windows\System32\dpuGUI10.dll

2007-11-28 21:52 . 2007-11-28 21:52 12,288 --a------ C:\Windows\System32\DivXWMPExtType.dll

2007-11-26 14:01 . 2007-11-26 14:01 <DIR> d-------- C:\Users\All Users\Electronic Arts

2007-11-26 14:01 . 2007-11-26 14:01 <DIR> d-------- C:\ProgramData\Electronic Arts

2007-11-26 13:59 . 2007-11-26 13:59 22,009,600 --a------ C:\Users\User\eadm-installer.exe

2007-11-21 12:46 . 2007-11-21 12:46 <DIR> d-------- C:\Users\User\AppData\Roaming\Earthsim

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-16 20:04 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-16 19:16 --------- d-----w C:\Users\User\AppData\Roaming\uTorrent

2007-12-13 21:36 --------- d-----w C:\Program Files\Steam

2007-12-12 02:39 56,320 ----a-w C:\Windows\System32\iesetup.dll

2007-12-12 02:39 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2007-12-12 02:39 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2007-12-12 00:11 --------- d-----w C:\Program Files\DivX

2007-12-11 20:08 --------- d-----w C:\ProgramData\Symantec

2007-12-09 12:30 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF

2007-12-09 12:30 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS

2007-12-09 12:30 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT

2007-12-09 12:30 --------- d-----w C:\Program Files\Symantec

2007-12-05 16:12 --------- d-----w C:\ProgramData\Roxio

2007-12-04 15:54 --------- d-----w C:\Program Files\VideoLAN

2007-11-26 22:57 --------- d-----w C:\Program Files\Windows Mail

2007-11-26 14:01 --------- d-----w C:\Program Files\Electronic Arts

2007-11-18 18:44 --------- d-----w C:\Program Files\Norton Internet Security

2007-11-18 17:02 25,406,752 ----a-w C:\Users\User\earthsim_ati.exe

2007-11-18 17:00 --------- d-----w C:\Program Files\Common Files\Steam

2007-11-11 12:56 --------- d-----w C:\Program Files\ATI

2007-11-10 20:00 --------- d-----w C:\Program Files\Intel

2007-11-06 17:05 --------- d-----w C:\Program Files\Common Files\xing shared

2007-11-06 17:05 --------- d-----w C:\Program Files\Common Files\Real

2007-11-06 16:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-10-30 19:55 39,856 ----a-w C:\Windows\system32\drivers\symids.sys

2007-10-30 19:55 37,936 ----a-w C:\Windows\system32\drivers\symndisv.sys

2007-10-30 19:55 27,696 ----a-w C:\Windows\system32\drivers\symredrv.sys

2007-10-30 19:55 191,536 ----a-w C:\Windows\system32\drivers\symtdi.sys

2007-10-30 19:55 145,968 ----a-w C:\Windows\system32\drivers\symfw.sys

2007-10-30 19:55 12,848 ----a-w C:\Windows\system32\drivers\symdns.sys

2007-10-30 19:24 12,963 ----a-w C:\Windows\system32\drivers\SymRedir.cat

2007-10-30 19:24 1,358 ----a-w C:\Windows\system32\drivers\SymRedir.inf

2007-10-19 09:55 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe

2007-10-15 01:00 22,328 ----a-w C:\Users\User\AppData\Roaming\PnkBstrK.sys

2007-10-15 00:59 674,600 ----a-w C:\Windows\System32\pbsvc.exe

2007-10-15 00:59 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe

2007-10-14 20:16 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr

2007-10-14 20:16 67,584 ----a-w C:\Windows\System32\wlanhlp.dll

2007-10-14 20:16 542,720 ----a-w C:\Windows\System32\sysmain.dll

2007-10-14 20:16 502,784 ----a-w C:\Windows\System32\wlansvc.dll

2007-10-14 20:16 47,104 ----a-w C:\Windows\System32\wlanapi.dll

2007-10-14 20:16 297,984 ----a-w C:\Windows\System32\wlansec.dll

2007-10-14 20:16 290,816 ----a-w C:\Windows\System32\wlanmsm.dll

2007-10-14 20:16 24,064 ----a-w C:\Windows\System32\wtsapi32.dll

2007-10-14 20:16 2,923,520 ----a-w C:\Windows\explorer.exe

2007-10-14 20:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys

2007-10-10 02:09 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL

2007-10-10 02:09 7,680 ----a-w C:\Windows\System32\spwmp.dll

2007-10-10 02:09 4,096 ----a-w C:\Windows\System32\dxmasf.dll

2007-10-10 02:09 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll

2007-10-10 02:07 84,480 ----a-w C:\Windows\System32\INETRES.dll

2007-10-10 02:07 737,792 ----a-w C:\Windows\System32\inetcomm.dll

2007-10-10 02:01 788,992 ----a-w C:\Windows\System32\rpcrt4.dll

2007-10-09 07:44 110,592 ----a-w C:\Windows\System32\SynTPCo4.dll

2007-10-09 07:16 147,456 ----a-w C:\Windows\System32\SynTPAPI.dll

2007-10-09 07:08 196,608 ----a-w C:\Windows\System32\SynCtrl.dll

2007-10-09 07:07 163,840 ----a-w C:\Windows\System32\SynCOM.dll

2007-09-29 03:03 9,850,880 ----a-w C:\Windows\System32\atioglxx.dll

2007-09-29 03:02 43,520 ----a-w C:\Windows\System32\ati2edxx.dll

2007-09-29 03:02 356,352 ----a-w C:\Windows\System32\ATIDEMGX.dll

2007-09-29 03:02 266,240 ----a-w C:\Windows\System32\atipdlxx.dll

2007-09-29 03:02 245,760 ----a-w C:\Windows\System32\Ati2evxx.dll

2007-09-29 03:02 237,568 ----a-w C:\Windows\System32\Oemdspif.dll

2007-09-29 03:02 159,744 ----a-w C:\Windows\System32\atitmmxx.dll

2007-09-29 03:01 610,304 ----a-w C:\Windows\System32\Ati2evxx.exe

2007-09-29 02:54 1,429,504 ----a-w C:\Windows\System32\atidxx32.dll

2007-09-29 02:50 3,071,488 ----a-w C:\Windows\System32\atiumdag.dll

2007-09-29 02:37 3,887,104 ----a-w C:\Windows\System32\atiumdva.dll

2007-09-29 02:27 48,128 ----a-w C:\Windows\System32\amdpcom32.dll

2007-09-28 16:07 129,784 ------w C:\Windows\System32\PxAFS.DLL

2007-09-28 16:07 120,056 ------w C:\Windows\System32\pxcpyi64.exe

2007-09-28 16:07 118,520 ------w C:\Windows\System32\pxinsi64.exe

2007-08-30 02:11 174 --sha-w C:\Program Files\desktop.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014}]

2007-12-16 18:01 12800 --a------ C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{90222687-F593-4738-B738-FBEE9C7B26DF}

{F2BADA0D-FD61-45EF-A994-64A073FD6613}

[HKEY_CLASSES_ROOT\clsid\{f2bada0d-fd61-45ef-a994-64a073fd6613}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{F2BADA0D-FD61-45EF-A994-64A073FD6613}"= C:\Program Files\Video Add-on\ictmdl.dll [2007-12-16 18:01 74752]

[HKEY_CLASSES_ROOT\clsid\{f2bada0d-fd61-45ef-a994-64a073fd6613}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36]

"MtdAcqu"="C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 08:56]

"Sidebar"="C:\Program Files\windows sidebar\sidebar.exe" [2006-11-02 12:35]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-03-07 17:47]

"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 10:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-05-30 02:17]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-09 07:44]

"RtHDVCpl"="RtHDVCpl.exe" [2007-08-07 03:59 C:\Windows\RtHDVCpl.exe]

"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-11-08 19:36]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 14:59]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-10-26 23:18]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:30]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-14 19:23]

"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 11:03]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 11:03 C:\Windows\KHALMNPR.Exe]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-06 17:04]

"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-10-09 07:23]

"Skytel"="Skytel.exe" [2007-08-03 05:22 C:\Windows\SkyTel.exe]

"CTRegRun"="C:\Windows\CTRegRun.EXE" [1999-10-11 01:00]

"StartCCC"="C:\ATI\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 08:48:20]

Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 07:01:50]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-06-18 14:09:02]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders credssp.dll

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 15:23]

R0 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2media.sys [2006-11-20 22:14]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070828.001\IDSvix86.sys [2007-06-07 02:24]

R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-10-31 21:40]

R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 08:39]

R3 CIR;Hid Device;C:\Windows\system32\DRIVERS\CIR.sys [2006-10-05 03:26]

R3 kbd;Keyboard;C:\Windows\system32\DRIVERS\kbd.sys [2006-10-05 03:25]

R3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-10-30 01:42]

R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sd.sys [2006-12-20 18:12]

R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 03:13]

R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]

S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 17:04]

S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe /RunAsService []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalService REG_MULTI_SZ nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient

LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

LocalServiceNetworkRestricted REG_MULTI_SZ DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ec74bea-3de0-11dc-a6e3-0040d0a94343}]

\shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50fdec7b-6243-11dc-985d-0040d0a94343}]

\shell\Auto\command - MicrosoftPowerPoint.exe

\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cb7afee-e74f-11db-8600-806e6f6e6963}]

\shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8482a04-4656-11dc-828e-0040d0a94343}]

\shell\Auto\command - F:\Cn911.exe

\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Cn911.exe

*Newly Created Service* - CATCHME

*Newly Created Service* - COMHOST

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

"2007-12-14 20:31:08 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - User.job"

- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-21 14:39:01

Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-21 14:40:16

.

2007-12-12 02:40:53 --- E O F ---

---------------HijackThis----------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:02:23 PM, on 21/12/2007

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\CyberLink\PowerCinema\PCMService.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Creative\MediaSource5\MtdAcqu.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\IEUser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE