PDA

View Full Version : Spyware infestation



EmpressPhoenix
2008-03-06, 06:11
Moved to a new state, into a new place. Was nice enough to let someone use my computer. They thought they would be "nice" and download some "free" Screen Savers for my computer. I learned a long time ago, most of the "free" ones that you download come infested with spyware and such. I tried to remove what I found of these files, but, I want to make sure it's all gone. I could not get the HJT and Kasperky logs to both fit in the same post. So, I used rapidshare for kasperky.

Kasperky Log (http://rapidshare.com/files/97401373/kasperky.html)

**************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:38 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\system32\ssstars.scr
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\dogproxy2\DogProxy2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Furcadia\furcadia.exe
C:\Program Files\Furcadia\furcadia.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\renter\Desktop\Phoenix\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\renter\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9834 bytes

__RiP_ChAiN_
2008-03-09, 08:44
Hello EmpressPhoenix,

Could you try simply attaching the Kaspersky log to your next post instead?

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

EmpressPhoenix
2008-03-11, 09:10
I know I am supposed to be posting logs with this reply, however, I apologize...I am having a difficult time with it. I don't know how it's expected I fit both the extra.txt and the main.txt logs in one post? The main.txt log by itself is too long and I can't even attach it, it's too big.

I was going to..hesitantly, make 2 separate posts for logs but, it would not matter, the main.txt log/file exceeds limits.

What do you want me to do?

__RiP_ChAiN_
2008-03-12, 05:40
Hello EmpressPhoenix,

Can you try splitting the main.txt into two, or even three replies if need be?

EmpressPhoenix
2008-03-12, 11:23
I can do that. So, I might have a total of 3 posts period. This is extra.txt and the kasperky attachment.
---------------------------------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) M processor 1.70GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 446.17 MiB / 170.21 MiB
Pagefile Memory (total/avail): 1056.47 MiB / 652.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.94 MiB

C: is Fixed (NTFS) - 51.81 GiB total, 29.97 GiB free.
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6034GSX - 55.89 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 51.81 GiB - C:
\PARTITION1 - Unknown - 3.84 GiB
\PARTITION2 - Unknown - 251.02 MiB



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: avast! antivirus 4.7.1098 [VPS 080310-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Documents and Settings\\renter\\Desktop\\Phoenix\\mreowproxy_506.exe"="C:\\Documents and Settings\\renter\\Desktop\\Phoenix\\mreowproxy_506.exe:*:Enabled:mreowproxy_506"
"C:\\Documents and Settings\\renter\\Desktop\\Phoenix\\mreowproxy.exe"="C:\\Documents and Settings\\renter\\Desktop\\Phoenix\\mreowproxy.exe:*:Enabled:mreowproxy"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\renter\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PHOENIX
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
GETMODEL=Satellite A105
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\renter
LOGONSERVER=\\PHOENIX
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\renter\LOCALS~1\Temp
TMP=C:\DOCUME~1\renter\LOCALS~1\Temp
USERDOMAIN=PHOENIX
USERNAME=renter
USERPROFILE=C:\Documents and Settings\renter
VERNUM=PSAA2U-123456V
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

renter (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\aolunins_us.exe
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Aquatica 3D Screensaver --> MsiExec.exe /I{A9EC7055-F35A-4656-82DD-E404903CC6C5}
Atheros Client Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}\setup.exe" -l0x9
Atheros Wireless LAN MiniPCI card Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
Corel Paint Shop Pro Photo XI --> MsiExec.exe /I{93A1B09E-BAFA-4628-A5B6-921CB026955A}
Corel Snapfire --> MsiExec.exe /I{0EE4030A-8FD4-4798-A21D-17E525B1F7CF}
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DogProxy II --> C:\PROGRA~1\DOGPRO~1\UNWISE.EXE C:\PROGRA~1\DOGPRO~1\INSTALL.LOG
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe" -l0x9 DVD-RAM Driver
FATE --> "C:\Program Files\WildGames\FATE\Uninstall.exe"
FATE from WildGames (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E2BABA4F-C37B-4A6C-8F00-0D303441C2D3\Uninstall.exe"
Furcadia --> "C:\Program Files\Furcadia\_uninst.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hard Disk Recovery Utilities --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Hard Disk Recovery Utilities\Uninst.isu"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\renter\Desktop\Phoenix\HijackThis.exe" /uninstall
HTML Executable IERuntime --> C:\Program Files\Common Files\HTML Executable Viewer\{AF358AB7-0CEF-40B5-A569-D27F8F38232D}\heieunin.exe
IMVU Avatar Chat Software --> C:\Program Files\IMVU\Uninstall.exe
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Logon Loader 3.0 --> C:\Program Files\Logon Loader\uninst.exe
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.11) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (3.0b3) --> C:\Program Files\Mozilla Firefox 3 Beta 1\uninstall\helper.exe
My Web Search (Popular Screensavers) --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll,O
Office 2003 Trial Assistant --> MsiExec.exe /I{47D2103B-FD51-4017-9C20-DD408B17D726}
PatchFusion --> "C:\Program Files\Mercenary Enclave\PatchFusion\unins000.exe"
Pure Networks Port Magic --> C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Router --> C:\Program Files\Router\UnInstall.exe
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Style Master 4.6 Demo --> MsiExec.exe /I{C9012AA3-F07B-46F5-BB59-ED21E92021ED}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Weather Channel Desktop --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Game Console --> "C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\Uninstall.exe"
TOSHIBA Hotkey Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64DD71BC-3109-4C88-9AD3-D5422644B722}\setup.exe" -l0x9
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe"
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA TouchPad ON/Off Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{69BE47C2-36FE-4397-8199-85D8EAE69982}\setup.exe" -l0x9
TOSHIBA Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}\setup.exe" -l0x9
TOSHIBA Virtual Sound --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\Setup.exe" /uninstall
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\Setup.exe"
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{97A96172-A963-4A37-9FFB-DA6805BB915A}\setup.exe -runfromtemp -l0x0409
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Weather Services --> C:\WINDOWS\system32\control.exe C:\PROGRA~1\THEWEA~1\FRAMEW~1\wxfw.cpl,4
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Remote --> "C:\Program Files\Winamp Remote\uninstall.exe"
Winamp Toolbar for Firefox --> "C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinTouch --> C:\Documents and Settings\renter\Application Data\WinTouch\WTUninstaller.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type927 / Error
Event Submitted/Written: 03/04/2008 08:30:31 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aquati~1.scr, version 0.0.0.0, faulting module aquati~1.scr, version 0.0.0.0, fault address 0x0000a3eb.
Processing media-specific event for [aquati~1.scr!ws!]

Event Record #/Type925 / Error
Event Submitted/Written: 03/02/2008 05:58:26 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aquati~1.scr, version 0.0.0.0, faulting module aquati~1.scr, version 0.0.0.0, fault address 0x00050f1f.
Processing media-specific event for [aquati~1.scr!ws!]

Event Record #/Type924 / Error
Event Submitted/Written: 03/02/2008 05:58:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aquati~1.scr, version 0.0.0.0, faulting module aquati~1.scr, version 0.0.0.0, fault address 0x0000a3eb.
Processing media-specific event for [aquati~1.scr!ws!]

Event Record #/Type916 / Error
Event Submitted/Written: 02/18/2008 02:40:00 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dreamed.exe, version 2.5.2.0, faulting module dreamed.exe, version 2.5.2.0, fault address 0x0000c7f9.
Processing media-specific event for [dreamed.exe!ws!]

Event Record #/Type915 / Error
Event Submitted/Written: 02/11/2008 09:30:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application furcadia.exe, version 2.5.2.0, faulting module furcadia.exe, version 2.5.2.0, fault address 0x000197b8.
Processing media-specific event for [furcadia.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8883 / Error
Event Submitted/Written: 03/10/2008 00:19:16 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type8882 / Error
Event Submitted/Written: 03/10/2008 00:19:16 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type8881 / Warning
Event Submitted/Written: 03/10/2008 00:19:14 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0016E334B099. The IP address being used is 169.254.24.173.

Event Record #/Type8878 / Error
Event Submitted/Written: 03/10/2008 00:18:05 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Event Record #/Type8876 / Warning
Event Submitted/Written: 03/10/2008 01:55:11 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-03-10 22:49:02 ------------

EmpressPhoenix
2008-03-12, 11:38
Ok..I guess the kasperky log is too big to attach, so, I am going to have more replies.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 11, 2008 12:59:02 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/03/2008
Kaspersky Anti-Virus database records: 622698
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 91922
Number of viruses found: 25
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 01:53:33

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\FEJcbeAe.exe.part/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\FEJcbeAe.exe.part CAB: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsk2D5.tmp\onestep.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsk2D5.tmp\osopt.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsr322.tmp\onestep.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsr322.tmp\osopt.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\~DFC284.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions\Furcadia\Portrait Cache\images.howl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions\Furcadia\Portrait Cache\portraits.howl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\cert8.db Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\content-prefs.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\cookies.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\downloads.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\formhistory.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\key3.db Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\parent.lock Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\permissions.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\places.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\places.sqlite-journal Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\places.sqlite-stmtjrnl Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\search.sqlite Object is locked skipped
C:\Documents and Settings\renter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\renter\Desktop\Phoenix\mreowproxy.dat Object is locked skipped
C:\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe CAB: infected - 1 skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Identities\{8BC6253D-6556-4E73-99EC-C13132E1CB16}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Identities\{8BC6253D-6556-4E73-99EC-C13132E1CB16}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\urlclassifier3.sqlite Object is locked skipped
C:\Documents and Settings\renter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\History\History.IE5\MSHist012008031020080311\index.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temp\~DFAE36.tmp Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temp\~DFC276.tmp Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temporary Internet Files\Content.IE5\BRNIO4B0\StampChooser[2].htm Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temporary Internet Files\Content.IE5\DKLA6383\StationeryChooser[1].htm Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\renter\My Documents\Furcadia\Logs\Adajio_logfile.html Object is locked skipped
C:\Documents and Settings\renter\ntuser.dat Object is locked skipped
C:\Documents and Settings\renter\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\Mozilla Firefox 3 Beta 1\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\Documents and Settings\renter\My Documents\SKS~1\wіnword.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\QooBox\Quarantine\C\Program Files\QdrDrive\QdrDrive8.dll.vir Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack11.exe.vir Infected: Trojan-Downloader.Win32.Agent.jjr skipped
C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\QooBox\Quarantine\C\WINDOWS\b111.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\QooBox\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\b148.exe.vir Infected: Trojan-Downloader.Win32.Agent.hbd skipped
C:\QooBox\Quarantine\C\WINDOWS\b149.exe.vir Infected: Trojan-Dropper.Win32.Agent.ctu skipped
C:\QooBox\Quarantine\C\WINDOWS\b151.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cflcnxdc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ebjlkwqm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\essssuwa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fdexwohr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fhnvqhvx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gnleejyk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\haevgvqa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iplurbte.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nflwxswn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntygphrn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rhrpgssq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rndmqqld.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rplwfpus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vncexdvo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xexmvktq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-01-21_235140.33.zip/vtutr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-01-21_235140.33.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP109\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E7F7452D-7738-4BAC-8B1D-E403B1B352F2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_50c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
-----------------------------------------
Deckard's System Scanner v20071014.68
Run by renter on 2008-03-10 22:46:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
45: 2008-03-11 04:47:10 UTC - RP109 - Deckard's System Scanner Restore Point
44: 2008-03-10 17:20:27 UTC - RP108 - System Checkpoint
43: 2008-03-09 16:20:26 UTC - RP107 - System Checkpoint
42: 2008-03-08 15:20:26 UTC - RP106 - System Checkpoint
41: 2008-03-07 14:20:24 UTC - RP105 - System Checkpoint


-- First Restore Point --
1: 2008-01-26 20:24:32 UTC - RP65 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).

EmpressPhoenix
2008-03-12, 11:39
-- HijackThis (run as renter.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:20 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\renter\Desktop\Phoenix\mreowproxy.exe
C:\Documents and Settings\renter\Desktop\dss.exe
C:\DOCUME~1\renter\Desktop\Phoenix\renter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\renter\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9837 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\renter\Desktop\Phoenix\backups\) ------

backup-20080206-192205-937 O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys <Not Verified; Toshiba Corporation; Toshiba Notebook PC SMI Service>
R3 Tvs (TOSHIBA Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TAPPSRV (TOSHIBA Application Service) - "c:\program files\toshiba\toshiba applet\tappsrv.exe" <Not Verified; TOSHIBA Corp.; TOSHIBA TAPPSRV>

S3 gusvc (Google Updater Service) - "c:\program files\google\common\google updater\googleupdaterservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-07 20:40:20 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-11 01:21:11 242 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-02-10 and 2008-03-10 -----------------------------

2008-03-07 16:29:46 0 d-------- C:\Documents and Settings\renter\Application Data\Template
2008-03-07 16:28:33 120 --a------ C:\Documents and Settings\renter\Application Data\wklnhst.dat
2008-03-07 15:09:03 0 d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-03-07 15:08:53 0 d-------- C:\Program Files\Winamp Remote
2008-03-05 22:28:43 0 d-------- C:\Documents and Settings\renter\Application Data\IMVU
2008-03-05 22:28:29 0 d-------- C:\Program Files\IMVU
2008-03-04 00:29:30 0 d-------- C:\Program Files\SecondLife
2008-03-03 00:20:24 983 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-03-02 14:46:01 0 d-------- C:\Documents and Settings\renter\Application Data\HTML Executable
2008-03-02 14:45:47 0 d-------- C:\Program Files\Common Files\HTML Executable Viewer
2008-03-02 05:55:41 0 d-------- C:\Documents and Settings\renter\Application Data\Aquatica 3D
2008-03-02 05:49:38 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr <Not Verified; FunWebProducts.com; Popular Screensavers>
2008-03-02 05:49:38 0 d-------- C:\Program Files\FunWebProducts
2008-03-02 05:49:31 0 d-------- C:\Program Files\MyWebSearch
2008-03-02 05:45:07 0 d-------- C:\Program Files\OneStepSearch
2008-03-02 05:35:30 1036288 --a------ C:\WINDOWS\system32\tvutil62.dll <Not Verified; TrueVision3D; TrueVision3D C++ Utility Dll>
2008-03-02 05:35:30 253952 --a------ C:\WINDOWS\system32\tvmedia.dll <Not Verified; TrueVision3D LLC; TV3DMedia>
2008-03-02 05:35:30 1839168 --a------ C:\WINDOWS\system32\truevision3d.dll <Not Verified; TrueVision3D LLC; TrueVision3D 6.2 3D Engine>
2008-03-02 05:32:00 1311335 --a------ C:\WINDOWS\system32\aquarium.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer>

-- Find3M Report ---------------------------------------------------------------

2008-03-10 21:00:54 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 1
2008-03-10 20:06:57 0 d-------- C:\Program Files\Furcadia
2008-03-09 15:08:40 0 d-------- C:\Documents and Settings\renter\Application Data\Corel
2008-03-09 15:08:09 3766 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-07 21:06:21 0 d-------- C:\Program Files\Trillian
2008-03-07 15:09:27 0 d-------- C:\Program Files\Winamp
2008-03-04 22:43:37 0 d-------- C:\Documents and Settings\renter\Application Data\uTorrent
2008-03-02 14:45:47 0 d-------- C:\Program Files\Common Files
2008-02-28 04:23:08 0 d-------- C:\Program Files\The Weather Channel FW
2008-02-27 17:30:14 0 d-------- C:\Documents and Settings\renter\Application Data\LimeWire
2008-02-26 22:34:57 0 d-------- C:\Program Files\LimeWire
2008-02-14 05:21:33 0 d-------- C:\Documents and Settings\renter\Application Data\Mozilla
2008-02-09 23:25:53 0 d-------- C:\Program Files\dogproxy2
2008-02-06 23:40:25 0 d-------- C:\Documents and Settings\renter\Application Data\SecondLife
2008-02-06 03:25:01 0 d-------- C:\Program Files\Mercenary Enclave
2008-02-06 02:35:38 0 d-------- C:\Documents and Settings\renter\Application Data\Adobe
2008-02-04 07:11:46 0 d-------- C:\Program Files\DivX
2008-01-27 21:41:14 0 d-------- C:\Program Files\VS Revo Group
2008-01-27 21:41:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-27 21:33:42 0 d-------- C:\Program Files\Furbot WX
2008-01-26 23:11:52 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-19 00:02:36 0 d-------- C:\Program Files\Soulseek
2008-01-18 23:59:18 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-13 19:24:18 0 d-------- C:\Documents and Settings\renter\Application Data\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [11/10/2005 01:14 PM C:\WINDOWS\RTHDCPL.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 11:05 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [10/14/2004 05:28 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [10/14/2004 05:26 PM]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [11/10/2005 12:24 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [08/01/2005 07:10 AM]
"TPSMain"="TPSMain.exe" [05/31/2005 11:00 PM C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [07/15/2005 12:52 PM]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [04/26/2005 06:13 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [03/17/2005 07:37 PM]
"CFSServ.exe"="CFSServ.exe" []
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [08/04/2006 11:00 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 07:00 AM]
"AGRSMMSG"="AGRSMMSG.exe" [10/15/2005 08:29 AM C:\WINDOWS\agrsmmsg.exe]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [03/02/2008 05:49 AM]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [03/02/2008 05:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [12/30/2004 02:32 AM]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [03/16/2007 08:51 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [01/30/2008 01:11 PM]
"@"="" []
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [03/02/2008 05:49 AM]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [01/07/2008 02:02 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [11/4/2005 9:20:51 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"LtMoh"=C:\Program Files\ltmoh\Ltmoh.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"TFncKy"=TFncKy.exe
"THotkey"=C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37c81ee5-6d6b-11dc-9c48-806d6172696f}]
AutoRun\command- D:\install.EXE id= ver=1.0.0.0




-- End of Deckard's System Scanner: finished at 2008-03-10 22:49:02 ------------

__RiP_ChAiN_
2008-03-13, 05:24
Hello EmpressPhoenix,

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

µTorrent
LimeWire 4.16.6
My Web Search (Popular Screensavers)
Viewpoint Media Player

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe
C:\WINDOWS\system32\f3PSSavr.scr
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\OneStepSearch
C:\Program Files\LimeWire


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe
C:\WINDOWS\system32\f3PSSavr.scr
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\OneStepSearch
C:\Program Files\LimeWire


Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post back with the following:
A new HijackThis log.
The OTMoveIt log.

EmpressPhoenix
2008-03-13, 07:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:07 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\dogproxy2\DogProxy2.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\renter\Desktop\Phoenix\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\renter\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 8856 bytes

C:\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe moved successfully.
File/Folder C:\WINDOWS\system32\f3PSSavr.scr not found.
File/Folder C:\Program Files\MyWebSearch not found.
File/Folder C:\Program Files\FunWebProducts not found.
File/Folder C:\Program Files\MyWebSearch not found.
C:\Program Files\OneStepSearch moved successfully.
C:\Program Files\LimeWire moved successfully.
[Custom Input]
< C:\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe >
File/Folder C:\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe not found.
< C:\WINDOWS\system32\f3PSSavr.scr >
File/Folder C:\WINDOWS\system32\f3PSSavr.scr not found.
< C:\Program Files\MyWebSearch >
File/Folder C:\Program Files\MyWebSearch not found.
< C:\Program Files\FunWebProducts >
File/Folder C:\Program Files\FunWebProducts not found.
< C:\Program Files\MyWebSearch >
File/Folder C:\Program Files\MyWebSearch not found.
< C:\Program Files\OneStepSearch >
File/Folder C:\Program Files\OneStepSearch not found.
< C:\Program Files\LimeWire >
File/Folder C:\Program Files\LimeWire not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03122008_230751

__RiP_ChAiN_
2008-03-14, 19:07
Hello EmpressPhoenix,

Using Windows Explorer delete the following folder (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\Qoobox

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZRfox000

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Please do another online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

EmpressPhoenix
2008-03-15, 23:41
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 15, 2008 3:34:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 631115
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 95121
Number of viruses found: 25
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 01:54:36

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\FEJcbeAe.exe.part/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\FEJcbeAe.exe.part CAB: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsk2D5.tmp\onestep.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsk2D5.tmp\osopt.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsr322.tmp\onestep.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\renter\LOCALS~1\Temp\nsr322.tmp\osopt.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions\Furcadia\Portrait Cache\images.howl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions\Furcadia\Portrait Cache\portraits.howl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\cert8.db Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\content-prefs.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\cookies.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\downloads.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\formhistory.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\key3.db Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\parent.lock Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\permissions.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\places.sqlite Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\places.sqlite-journal Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\places.sqlite-stmtjrnl Object is locked skipped
C:\Documents and Settings\renter\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\search.sqlite Object is locked skipped
C:\Documents and Settings\renter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Application Data\Mozilla\Firefox\Profiles\eut6ja2c.default\urlclassifier3.sqlite Object is locked skipped
C:\Documents and Settings\renter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temp\~DF9D79.tmp Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temp\~DF9D85.tmp Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temp\~DFFD66.tmp Object is locked skipped
C:\Documents and Settings\renter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\renter\My Documents\Furcadia\Logs\Adajio_logfile.html Object is locked skipped
C:\Documents and Settings\renter\My Documents\Furcadia\Logs\Zinj_logfile.html Object is locked skipped
C:\Documents and Settings\renter\ntuser.dat Object is locked skipped
C:\Documents and Settings\renter\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\Documents and Settings\renter\My Documents\SKS~1\wіnword.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\Program Files\QdrDrive\QdrDrive8.dll.vir Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\Program Files\QdrPack\QdrPack11.exe.vir Infected: Trojan-Downloader.Win32.Agent.jjr skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\Program Files\Router\UnInstall.exe.vir Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\b111.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\b148.exe.vir Infected: Trojan-Downloader.Win32.Agent.hbd skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\b149.exe.vir Infected: Trojan-Dropper.Win32.Agent.ctu skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\b151.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\cflcnxdc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\ebjlkwqm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\essssuwa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\fdexwohr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\fhnvqhvx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\gnleejyk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\haevgvqa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\iplurbte.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

EmpressPhoenix
2008-03-15, 23:41
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\nflwxswn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\ntygphrn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\rhrpgssq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\rndmqqld.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\rplwfpus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\vncexdvo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\C\WINDOWS\system32\xexmvktq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\catchme2008-01-21_235140.33.zip/vtutr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157\Quarantine\catchme2008-01-21_235140.33.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019959.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019960.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019968.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019970.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019971.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019972.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019973.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019974.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019975.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019976.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019977.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019978.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019979.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019980.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019981.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019983.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019985.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019987.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019988.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019990.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019991.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019992.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019997.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019998.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0019999.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0020000.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0020001.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0020002.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0020003.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0020004.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP110\A0020005.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP112\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A2AA1134-F834-43E7-9958-AC17C1B03A97}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_50c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\03122008_230751\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\_OTMoveIt\MovedFiles\03122008_230751\Documents and Settings\renter\Desktop\Phoenix\PopularScreensaversSetup2.2.60.11-2.ZRfox000.exe CAB: infected - 1 skipped

Scan process completed.

__RiP_ChAiN_
2008-03-16, 20:52
Hello EmpressPhoenix,

Using Windows Explorer delete the following folder (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\RECYCLER\S-1-5-21-2102106993-888191231-1037102494-1006\Dc157


Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
IE/Spyad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

EmpressPhoenix
2008-03-17, 21:59
Sorry about late response. I use Firefox Beta and it updated and all my new bookmarks, including the bookmark to this post, are now gone. Just wanted to let you know so it's not thought that I abandoned my post.

__RiP_ChAiN_
2008-03-18, 17:24
Thanks for the reply, I appreciate your follow-up response :)