Possible Virus in Regestry

[Confused Computer User]

Well here is the latest HJT log done in Safe Mode.

Hope it's OK.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:15 PM, on 19/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [auditadmin] C:\windows\temp\auditadmin.cmd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Windows7FirewallControl] C:\Program Files\Windows7FirewallControl\Windows7FirewallControl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Windows7FirewallService - Sphinx Software - C:\Program Files\Windows7FirewallControl\Windows7FirewallService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5764 bytes

[polonus]

Hi confused computer user,

Here are the results.

You have no active software firewall running...

Check these at virustotal:
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [auditadmin] C:\windows\temp\auditadmin.cmd

Because of a safemode scan the only active tasks I have are:
Overzicht van actieve taken: (Klik op de taken voor meer informatie)

Explorer.EXE   
System task

Microsoft Windows Explorer

HijackThis.exe   
Application

Hijackthis 2.O

The task you had active in the first normal mode log were:

Survey of active tasks

Dwm.exe   
System task

Desktop Window Manager

taskeng.exe   
System task

Task Scheduler Engine

Explorer.EXE   
System task

Microsoft Windows Explorer

mobsync.exe   
System task

Microsoft Synchronization Manager

ashDisp.exe   
Virusscan

Avast AntiVirus

jusched.exe   
Background task

Sun Java Update Scheduler

RtHDVCpl.exe   
System task

High definition audio codec driver from Realtek Semiconductor

PDVDServ.exe   
Background task

PowerDVD Remote Control

igfxpers.exe   
Driver

Intel Common User Interface Module

ModPS2Key.exe
Some malware camouflage themselves as ModPS2Key.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the ModPS2Key.exe process on your pc whether it is pest.
Unklnown task

Unknown task

igfxsrvc.exe   
Driver

Intel(R) Common User Interface

igfxtray.exe   
Application

Intel Graphics configuration and diagnostic application

hkcmd.exe   
Application

Intel multimedia devices

zHotkey.exe   
Background task

Enables special keys on Chicony keyboards.

WinPatrol.exe   
Security software

WinPatrol

Windows7FirewallControl.exe

.... task Sphinx Software
Product contains:   Vista-Wall extended control for Windows 7 and Vista Firewall
File name contains:   \Program Files\Windows7FirewallControl\

Unknown task

realsched.exe   
Application

RealNetworks Scheduler

is360tray.exe   remove or fix
Background task

IObit Security 360 not recommended

SUPERANTISPYWARE.EXE   
Anti Add/Spyware software

SUPERAntiSpyware

sidebar.exe   
Background task

Vista sidebar

HijackThis.exe   
Application

Hijackthis 2.0

That is all,


polonus

[Confused Computer User]

Thanks again polonus.

So one step at a time.

You have no active software firewall running...

I am using Vista's built in firewall along with Windows 7 Firewall control
http://www.sphinx-soft.com/Vista/order.html

Windows7FirewallControl.exe

.... task Sphinx Software
Product contains:   Vista-Wall extended control for Windows 7 and Vista Firewall
File name contains:   \Program Files\Windows7FirewallControl\

This enables outbound protection in Vista.

is360tray.exe   remove or fix
Background task

IObit Security 360 not recommended

Already removed from my comp and the task should not come up in my latest log. I don't see it so I'm guessing it's the old log you are referring to.

I would remove IOBit as per:
IOBit Theft Conclusion
http://www.malwarebytes.org/forums/index.php?showtopic=33217

Close all browsers and sellect the following then Fix checked
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088

Make the Start page Google.com as it loads faster with less advertisments by going to to IE then Tools then Internet Options then select Use current

I'll follow through on your suggestions Yokenny. I already removed IObit 360(which was emphasized by polonus as well).

Thank you again polonus for the continued support. Thank you also Yokenny, DavidR and essexboy for your help as well.