PDA

View Full Version : Virtumonde Infection


Jax840621
2008-06-04, 06:24
I have been trying to remove this virtumonde malware. I first noticed it because TeaTimer. Spybot will 'remove' it but within a few minutes of booting, TeaTimer goes crazy. I have also run ComboFix. This also 'removes' it, but it will be back within minutes. Spyware Doctor does not detect or clean it.
These logs were generated ComboFix first, KAV Second, and HJT last. My KAV report won't fit into one post. I have posted part of it. I have the full one if you would like that posted.
Here are my logs:

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:22 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSBattM.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\WINDOWS\system32\RAMASST.exe
D:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = co.proxy.avaya.com:8000
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon0.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM135a4420] Rundll32.exe "C:\WINDOWS\system32\wtolcuyb.dll",s
O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DW6] "C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {338095E4-1806-4BA3-AB51-38A3179200E9} (QuickMksAxCtl Class) - http://127.0.0.1:8308/ui/plugin/vmwa...-win32-x86.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Avaya VPN Service (AvService) - Unknown owner - C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - D:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 13799 bytes

ComboFix:
ComboFix 08-05-29.1 - Jax 2008-06-01 13:59:16.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.870 [GMT -6:00]
Running from: C:\Documents and Settings\Jax\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM135a4420.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bxxluttg.dll
C:\WINDOWS\system32\linkyhhe.exe
C:\WINDOWS\system32\mxtdknlq.ini
C:\WINDOWS\system32\qlnkdtxm.dll
C:\WINDOWS\system32\qWDLkUvw.ini
C:\WINDOWS\system32\qWDLkUvw.ini2
C:\WINDOWS\system32\tsejjnai.dll
C:\WINDOWS\system32\wvUkLDWq.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 23:27 . 2008-05-31 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 22:49 . 2008-06-01 11:26 <DIR> d-------- C:\Program Files\Acceleration Software
2008-05-31 22:49 . 2008-05-31 22:49 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\eAcceleration
2008-05-31 22:48 . 2008-05-31 22:49 <DIR> d-------- C:\Program Files\eAcceleration
2008-05-31 22:48 . 2008-06-01 11:25 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2008-05-31 22:48 . 2008-05-31 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eAcceleration
2008-05-31 17:34 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-31 17:34 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-31 17:34 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-31 17:34 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-31 17:33 . 2008-05-31 17:33 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\PC Tools
2008-05-31 16:04 . 2008-05-31 22:46 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\Lavasoft
2008-05-31 14:15 . 2008-06-01 10:46 <DIR> d-------- C:\QUARANTINE
2008-05-31 14:04 . 2008-05-31 14:03 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-31 14:04 . 2008-05-31 14:04 2,543 --a------ C:\WINDOWS\unins000.dat
2008-05-31 14:01 . 2008-05-31 14:01 <DIR> d-------- C:\McAfee
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-31 13:59 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-31 13:59 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-31 13:59 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-31 13:59 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-31 13:59 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-31 13:59 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-31 13:59 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-31 13:58 . 2008-05-31 13:59 <DIR> d-------- C:\Program Files\McAfee
2008-05-31 13:58 . 2008-05-31 13:58 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-31 00:01 . 2008-05-31 00:06 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-05-30 23:41 . 2008-05-30 23:42 59,392 --a------ C:\WINDOWS\system32\cbXPhiIB.dll
2008-05-30 15:32 . 2008-05-30 15:32 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 15:33 . 2008-05-29 15:33 <DIR> d-------- C:\Documents and Settings\Jax\.netbeans-registration
2008-05-29 15:08 . 2003-09-03 16:28 67,200 --a------ C:\WINDOWS\system32\drivers\jusb.sys
2008-05-29 14:33 . 2003-09-05 10:08 245,852 --a------ C:\WINDOWS\system32\jusb.dll
2008-05-29 01:29 . 2008-06-01 13:51 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\Azureus
2008-05-29 01:29 . 2008-05-29 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-27 17:13 . 2008-05-27 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Amazon
2008-05-27 17:13 . 2008-05-27 17:13 <DIR> d-------- C:\Amazon Unbox
2008-05-27 17:12 . 2008-05-31 00:00 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-24 13:09 . 2008-05-24 13:09 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\InterVideo
2008-05-22 13:06 . 2008-05-22 13:06 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 17:33 . 2008-05-15 17:33 <DIR> d-------- C:\WINDOWS\system32\cvirte
2008-05-12 08:26 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-04 12:30 . 2008-05-04 12:30 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\Webshots
2008-05-04 09:45 . 2008-05-04 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\packages
2008-05-04 07:21 . 2008-05-04 07:21 <DIR> d-------- C:\sj652

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 19:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 05:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 02:44 --------- d-----w C:\Program Files\VPNremote for Windows XP
2008-05-31 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 03:21 --------- d-----w C:\Documents and Settings\Jax\Application Data\Dev-Cpp
2008-05-26 20:57 --------- d-----w C:\Program Files\Google
2008-05-22 18:39 --------- d-----w C:\Documents and Settings\Jax\Application Data\AdobeUM
2008-05-22 16:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\National Instruments
2008-05-15 23:38 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-05-14 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-12 16:13 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-04 12:48 286,720 ------w C:\WINDOWS\Setup1.exe
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-17 18:29 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2008-04-10 19:10 --------- d-----w C:\Documents and Settings\Jax\Application Data\National Instruments
2008-04-06 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-06 21:06 --------- d-----w C:\Program Files\SAPpc
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-08 21:40 851,968 ----a-w C:\Program Files\internet explorer\plugins\libeay32.dll
2004-03-16 00:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2005-10-12 22:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 17:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-25 01:03 118,784 ----a-w C:\Program Files\internet explorer\plugins\LV85ActiveXControl.dll
2007-11-08 21:40 348,160 ----a-w C:\Program Files\internet explorer\plugins\msvcr71.dll
2007-11-08 21:40 950,272 ----a-w C:\Program Files\internet explorer\plugins\quickMksAx.dll
2007-11-08 21:40 159,744 ----a-w C:\Program Files\internet explorer\plugins\ssleay32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{181F974D-BBE3-4801-9544-3AF1C05DF3BA}]
C:\WINDOWS\system32\mlJaaBRl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{476FCA39-5318-4F72-B864-70185B670EA3}]
C:\WINDOWS\system32\khfFWpqO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D7DB869-3021-4CD2-AF0A-B3CAD75ECE31}]
2008-05-30 23:42 59392 --a------ C:\WINDOWS\system32\cbXPhiIB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF9132BF-79E1-4D62-B2B8-804B2F14096B}]
C:\WINDOWS\system32\qoMFXPFu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="D:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40 4167376]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"DW6"="C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe" [2008-05-14 13:41 785520]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 16:29 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-01 14:04 7557120]
"nwiz"="nwiz.exe" [2006-05-01 14:04 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="C:\WINDOWS\system32\nvsysrot.dll" [2006-05-01 14:04 49152]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 19:36 30208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 18:32 761945]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 15:02 352256]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2005-05-31 23:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 07:20 122940]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22 3739648]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [2008-04-15 17:30 173392]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon0.dll" [2008-04-21 11:20 152976]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2008-04-21 11:20 140696]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [2008-05-14 17:06 763232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2008-04-21 11:20 140696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="D:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40 4167376]

C:\Documents and Settings\Jax\Start Menu\Programs\Startup\
Webshots.lnk - D:\Program Files\Webshots\Launcher.exe [2008-05-04 12:30:34 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-18 23:44:42 25214]
Amazon Unbox.lnk - D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-01-19 15:35:06 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D7DB869-3021-4CD2-AF0A-B3CAD75ECE31}"= C:\WINDOWS\system32\cbXPhiIB.dll [2008-05-30 23:42 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\Userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXPhiIB]
cbXPhiIB.dll 2008-05-30 23:42 59392 C:\WINDOWS\system32\cbXPhiIB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-05 19:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\VPNremote for Windows XP\\VPNremote.exe"=
"D:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R0 avipsec;Avaya IPSEC Driver;C:\WINDOWS\system32\drivers\avipsec.sys [2005-09-13 16:50]
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
R1 VProtocol;AVAYA VPNet VProtocol;C:\WINDOWS\system32\DRIVERS\vproto2k.sys [2005-09-13 16:50]
R2 AvService;Avaya VPN Service;C:\Program Files\VPNremote for Windows XP\AvVpnService.exe [2005-09-13 16:50]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2004-07-26 10:00]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 20:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 19:59]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [2001-03-01 01:15]
R2 mxssvr;NI Configuration Manager;"D:\Program Files\National Instruments\MAX\nimxs.exe" [2007-03-08 17:29]
R2 NITaggerService;National Instruments Variable Engine;"D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-07-23 09:29]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 19:33]
R3 ndisva;Avaya VPNet Virtual Adapter Driver;C:\WINDOWS\system32\DRIVERS\vadapter.sys [2005-09-13 16:50]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-05-05 19:12]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]
S2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" [2008-03-24 17:46]
S2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" [2008-03-24 17:46]
S3 JUSB;JUSB.Sys Java USB Driver;C:\WINDOWS\system32\drivers\JUSB.sys [2003-09-03 16:28]
S3 krdpdre;krdpdre;C:\DOCUME~1\Jax\LOCALS~1\Temp\krdpdre.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Autorun.exe

.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\AvayaGina.dll
-> C:\WINDOWS\system32\cbXPhiIB.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
D:\Program Files\Webshots\Webshots.scr
.
**************************************************************************
.
Completion time: 2008-06-01 14:09:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 20:09:26
ComboFix2.txt 2008-06-01 17:24:21
ComboFix3.txt 2008-06-01 17:14:39
ComboFix4.txt 2008-06-01 17:11:55
ComboFix5.txt 2008-06-01 16:43:35

Pre-Run: 500,031,488 bytes free
Post-Run: 494,051,328 bytes free

304 --- E O F --- 2008-06-01 17:00:45

This is not the full KAV log. It wouldn't fit into one post. I have the full one if you would like that posted.

KAV:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 4:19:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821972
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
Scan Statistics:
Total number of scanned objects: 105274
Number of viruses found: 11
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 01:48:28
Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\Jax\Local Settings\Temporary Internet Files\Content.IE5\4XBFNJWX\kb516107[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Documents and Settings\Jax\Local Settings\Temporary Internet Files\Content.IE5\F9GXJTQ3\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wti skipped
C:\Documents and Settings\Jax\Local Settings\Temporary Internet Files\Content.IE5\F9GXJTQ3\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\RECYCLER\S-1-5-21-2340103986-951937984-3967435536-1005\Dc1\C\WINDOWS\system32\bxxluttg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\RECYCLER\S-1-5-21-2340103986-951937984-3967435536-1005\Dc1\C\WINDOWS\system32\meycbjmm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\RECYCLER\S-1-5-21-2340103986-951937984-3967435536-1005\Dc1\C\WINDOWS\system32\pwoprsic.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\RECYCLER\S-1-5-21-2340103986-951937984-3967435536-1005\Dc1\C\WINDOWS\system32\qlnkdtxm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000119.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000121.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000122.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000123.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000125.dll Infected: Trojan.Win32.Monder.le skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000126.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000127.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP2\A0000129.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP4\A0002278.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{BB53A2CB-DF0B-41A1-A428-20CF4CC18FC0}\RP4\A0002280.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\WINDOWS\system32\cbXPhiIB.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqj skipped
C:\WINDOWS\system32\quercyjt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
D:\Documents\TravelDrive\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
D:\Documents\TravelDrive\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
D:\Documents\TravelDrive\DivXPro511Adware.exe NSIS: infected - 2 skipped
D:\Documents\VNC\Tight_VNC\tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
D:\Documents\VNC\Tight_VNC\tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Documents\VNC\Tight_VNC\tightvnc-1.2.9-setup.exe Inno: infected - 2 skipped
D:\Documents\VNC\Tight_VNC\tightvnc-1.3.8-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
D:\Documents\VNC\Tight_VNC\tightvnc-1.3.8-setup.exe Inno: infected - 1 skipped
D:\Documents\VNC\Tight_VNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Documents\VNC\Ultra_VNC\UltraVNC-101-Setup.exe/file130 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
D:\Documents\VNC\Ultra_VNC\UltraVNC-101-Setup.exe/file131 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
D:\Documents\VNC\Ultra_VNC\UltraVNC-101-Setup.exe Inno: infected - 2 skipped
Blade81
2008-06-05, 19:20
Hi

I think you missed Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806) (ran ComboFix though it shouldn't be used without supervision) sticky ;)

Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\cbXPhiIB.dll
C:\WINDOWS\system32\quercyjt.dll
D:\Documents\TravelDrive\DivXPro511Adware.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{181F974D-BBE3-4801-9544-3AF1C05DF3BA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{476FCA39-5318-4F72-B864-70185B670EA3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D7DB869-3021-4CD2-AF0A-B3CAD75ECE31}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF9132BF-79E1-4D62-B2B8-804B2F14096B}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D7DB869-3021-4CD2-AF0A-B3CAD75ECE31}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXPhiIB]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).

I noticed those "please note that you need administrator rights to perform deep scan and disk not found C:\ errors. Do you have administrator rights?

You can check this in control panel. Open User accounts. (may need to enable "classic view")
Under your name should say "limited user" or "computer administrator".
Jax840621
2008-06-06, 00:14
I ran ComboFix before I found these forums. I did read the post but it was too late. I am an adminstrator on this PC. I'm not sure why those errors are there. KAV log does not fit, so I am attaching it here as a zip file. Here are my logs after previous instructions:

COMBOFIX[B]
ComboFix 08-05-29.1 - Jax 2008-06-05 12:16:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.896 [GMT -6:00]
Running from: C:\Documents and Settings\Jax\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jax\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cbXPhiIB.dll
C:\WINDOWS\system32\quercyjt.dll
D:\Documents\TravelDrive\DivXPro511Adware.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM135a4420.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXPhiIB.dll
C:\WINDOWS\system32\kpvybtsq.ini
C:\WINDOWS\system32\nbssrdkm.dll
C:\WINDOWS\system32\ppnbjuqs.dll
C:\WINDOWS\system32\qstbyvpk.dll
C:\WINDOWS\system32\quercyjt.dll
C:\WINDOWS\system32\tjycreuq.ini
C:\WINDOWS\system32\tuvVOGxy.dll
C:\WINDOWS\system32\uBcIRBeg.ini
C:\WINDOWS\system32\uBcIRBeg.ini2
C:\WINDOWS\system32\wtolcuyb.dll
C:\WINDOWS\system32\yxGOVvut.ini
C:\WINDOWS\system32\yxGOVvut.ini2
D:\Documents\TravelDrive\DivXPro511Adware.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 12:16 . 2008-06-05 12:16 117,248 --a------ C:\WINDOWS\system32\ogryjler.dll
2008-06-05 12:16 . 2008-06-05 12:24 354 ---hs---- C:\WINDOWS\system32\reljyrgo.ini
2008-06-05 12:13 . 2008-06-05 12:13 133,120 --a------ C:\WINDOWS\system32\yclbpllf.dll
2008-06-05 12:07 . 2008-06-05 12:07 126,976 --a------ C:\WINDOWS\system32\vqqtygeu.dll
2008-06-05 12:05 . 2008-06-05 12:05 126,976 --a------ C:\WINDOWS\system32\umjwbijg.dll
2008-06-02 13:03 . 2008-06-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 13:02 . 2008-06-02 13:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 12:29 . 2008-06-02 12:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-01 16:45 . 2008-06-01 16:45 <DIR> d-------- C:\VundoFix Backups
2008-06-01 16:13 . 2008-06-05 12:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-31 23:27 . 2008-05-31 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 17:34 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-31 17:34 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-31 17:34 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-31 17:34 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-31 17:33 . 2008-05-31 17:33 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\PC Tools
2008-05-31 16:04 . 2008-05-31 22:46 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\Lavasoft
2008-05-31 14:15 . 2008-06-05 12:17 <DIR> d-------- C:\QUARANTINE
2008-05-31 14:01 . 2008-05-31 14:01 <DIR> d-------- C:\McAfee
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-31 13:59 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-31 13:59 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-31 13:59 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-31 13:59 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-31 13:59 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-31 13:59 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-31 13:59 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-31 13:58 . 2008-05-31 13:59 <DIR> d-------- C:\Program Files\McAfee
2008-05-31 13:58 . 2008-05-31 13:58 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-31 00:01 . 2008-05-31 00:06 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-05-30 15:32 . 2008-05-30 15:32 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 15:33 . 2008-05-29 15:33 <DIR> d-------- C:\Documents and Settings\Jax\.netbeans-registration
2008-05-29 15:08 . 2003-09-03 16:28 67,200 --a------ C:\WINDOWS\system32\drivers\jusb.sys
2008-05-29 14:33 . 2003-09-05 10:08 245,852 --a------ C:\WINDOWS\system32\jusb.dll
2008-05-29 01:29 . 2008-06-01 13:51 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\Azureus
2008-05-29 01:29 . 2008-05-29 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-27 17:13 . 2008-05-27 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Amazon
2008-05-27 17:13 . 2008-05-27 17:13 <DIR> d-------- C:\Amazon Unbox
2008-05-27 17:12 . 2008-05-31 00:00 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-24 13:09 . 2008-05-24 13:09 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\InterVideo
2008-05-22 13:06 . 2008-05-22 13:06 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 17:33 . 2008-05-15 17:33 <DIR> d-------- C:\WINDOWS\system32\cvirte
2008-05-12 08:26 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 20:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 05:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 02:44 --------- d-----w C:\Program Files\VPNremote for Windows XP
2008-05-30 03:21 --------- d-----w C:\Documents and Settings\Jax\Application Data\Dev-Cpp
2008-05-26 20:57 --------- d-----w C:\Program Files\Google
2008-05-22 18:39 --------- d-----w C:\Documents and Settings\Jax\Application Data\AdobeUM
2008-05-22 16:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\National Instruments
2008-05-15 23:38 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-05-14 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 18:30 --------- d-----w C:\Documents and Settings\Jax\Application Data\Webshots
2008-05-04 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\packages
2008-05-04 12:48 286,720 ------w C:\WINDOWS\Setup1.exe
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-17 18:29 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2008-04-10 19:10 --------- d-----w C:\Documents and Settings\Jax\Application Data\National Instruments
2008-04-06 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-06 21:06 --------- d-----w C:\Program Files\SAPpc
2007-11-08 21:40 851,968 ----a-w C:\Program Files\internet explorer\plugins\libeay32.dll
2004-03-16 00:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2005-10-12 22:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 17:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-25 01:03 118,784 ----a-w C:\Program Files\internet explorer\plugins\LV85ActiveXControl.dll
2007-11-08 21:40 348,160 ----a-w C:\Program Files\internet explorer\plugins\msvcr71.dll
2007-11-08 21:40 950,272 ----a-w C:\Program Files\internet explorer\plugins\quickMksAx.dll
2007-11-08 21:40 159,744 ----a-w C:\Program Files\internet explorer\plugins\ssleay32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3f1bab34-effc-4765-978b-aa77162dcb48}]
2008-06-05 12:13 133120 --a------ C:\WINDOWS\system32\yclbpllf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7B1A873-F533-47DA-82E1-56D4201F4637}]
C:\WINDOWS\system32\geBRIcBu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="D:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40 4167376]
"DW6"="C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe" [2008-05-14 13:41 785520]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 16:29 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-01 14:04 7557120]
"nwiz"="nwiz.exe" [2006-05-01 14:04 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="C:\WINDOWS\system32\nvsysrot.dll" [2006-05-01 14:04 49152]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 19:36 30208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 18:32 761945]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 15:02 352256]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2005-05-31 23:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 07:20 122940]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22 3739648]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"106977bc"="C:\WINDOWS\system32\ogryjler.dll" [2008-06-05 12:16 117248]
"BM135a4420"="C:\WINDOWS\system32\vqqtygeu.dll" [2008-06-05 12:07 126976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="D:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40 4167376]

C:\Documents and Settings\Jax\Start Menu\Programs\Startup\
Webshots.lnk - D:\Program Files\Webshots\Launcher.exe [2008-05-04 12:30:34 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-18 23:44:42 25214]
Amazon Unbox.lnk - D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-01-19 15:35:06 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-05 19:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\VPNremote for Windows XP\\VPNremote.exe"=
"D:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"D:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R0 avipsec;Avaya IPSEC Driver;C:\WINDOWS\system32\drivers\avipsec.sys [2005-09-13 16:50]
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
R1 VProtocol;AVAYA VPNet VProtocol;C:\WINDOWS\system32\DRIVERS\vproto2k.sys [2005-09-13 16:50]
R2 AvService;Avaya VPN Service;C:\Program Files\VPNremote for Windows XP\AvVpnService.exe [2005-09-13 16:50]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2004-07-26 10:00]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 20:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 19:59]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [2001-03-01 01:15]
R2 mxssvr;NI Configuration Manager;"D:\Program Files\National Instruments\MAX\nimxs.exe" [2007-03-08 17:29]
R2 NITaggerService;National Instruments Variable Engine;"D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-07-23 09:29]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 19:33]
R3 ndisva;Avaya VPNet Virtual Adapter Driver;C:\WINDOWS\system32\DRIVERS\vadapter.sys [2005-09-13 16:50]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-05-05 19:12]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]
S2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" []
S2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" []
S3 JUSB;JUSB.Sys Java USB Driver;C:\WINDOWS\system32\drivers\JUSB.sys [2003-09-03 16:28]
S3 krdpdre;krdpdre;C:\DOCUME~1\Jax\LOCALS~1\Temp\krdpdre.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 18:25:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\AvayaGina.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
-> C:\WINDOWS\system32\ogryjler.dll
-> C:\WINDOWS\system32\vqqtygeu.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Windows Defender\MsMpEng.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
D:\Program Files\Webshots\Webshots.scr
.
**************************************************************************
.
Completion time: 2008-06-05 12:25:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 18:25:54
ComboFix2.txt 2008-06-01 22:01:06
ComboFix3.txt 2008-06-01 20:18:25
ComboFix4.txt 2008-06-01 20:14:38
ComboFix5.txt 2008-06-01 20:09:35

Pre-Run: 174,395,392 bytes free
Post-Run: 185,262,080 bytes free

306 --- E O F --- 2008-06-01 17:00:45


[B]HIJACKTHIS[\B]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:01 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\National Instruments\MAX\nimxs.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\TPSBattM.exe
D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\WINDOWS\system32\RAMASST.exe
D:\Program Files\Webshots\webshots.scr
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = co.proxy.avaya.com:8000
O2 - BHO: {84bcd261-77aa-b879-5674-cffe43bab1f3} - {3f1bab34-effc-4765-978b-aa77162dcb48} - C:\WINDOWS\system32\yclbpllf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {A7B1A873-F533-47DA-82E1-56D4201F4637} - C:\WINDOWS\system32\geBRIcBu.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [106977bc] rundll32.exe "C:\WINDOWS\system32\ogryjler.dll",b
O4 - HKLM\..\Run: [BM135a4420] Rundll32.exe "C:\WINDOWS\system32\vqqtygeu.dll",s
O4 - HKCU\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [DW6] "C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {338095E4-1806-4BA3-AB51-38A3179200E9} (QuickMksAxCtl Class) - http://127.0.0.1:8308/ui/plugin/vmware-vmrc-win32-x86.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Avaya VPN Service (AvService) - Unknown owner - C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - Unknown owner - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe (file missing)
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - Unknown owner - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe (file missing)
O23 - Service: Imapi Helper - Alex Feinman - D:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - D:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 12618 bytes
Blade81
2008-06-06, 07:41
Hi

Do you use FolderLock program or something similar that prevents access to some folders? If you do, please unlock all folders now.


Your ComboFix version is getting old. Time to delete present ComboFix.exe and get a fresh copy from one of these links:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\ogryjler.dll
C:\WINDOWS\system32\reljyrgo.ini
C:\WINDOWS\system32\yclbpllf.dll
C:\WINDOWS\system32\vqqtygeu.dll
C:\WINDOWS\system32\umjwbijg.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3f1bab34-effc-4765-978b-aa77162dcb48}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7B1A873-F533-47DA-82E1-56D4201F4637}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"106977bc"=-
"BM135a4420"=-



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Jax840621
2008-06-06, 08:09
Hi

I do not use FolderLock. The only thing I can think of that might be restricting folder access is McAfee On-Access Scan. Here are my resultant logs:

ComboFix
ComboFix 08-06-05.3 - Jax 2008-06-05 22:58:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.868 [GMT -6:00]
Running from: C:\Documents and Settings\Jax\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jax\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ogryjler.dll
C:\WINDOWS\system32\reljyrgo.ini
C:\WINDOWS\system32\umjwbijg.dll
C:\WINDOWS\system32\vqqtygeu.dll
C:\WINDOWS\system32\yclbpllf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\BM135a4420.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ogryjler.dll
C:\WINDOWS\system32\reljyrgo.ini
C:\WINDOWS\system32\umjwbijg.dll
C:\WINDOWS\system32\vqqtygeu.dll
C:\WINDOWS\system32\yclbpllf.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-02 13:03 . 2008-06-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 13:02 . 2008-06-02 13:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 12:29 . 2008-06-02 12:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-01 16:13 . 2008-06-05 12:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-31 23:27 . 2008-05-31 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 17:34 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-31 17:34 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-31 17:34 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-31 17:34 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-31 17:33 . 2008-05-31 17:33 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\PC Tools
2008-05-31 16:04 . 2008-05-31 22:46 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\Lavasoft
2008-05-31 14:15 . 2008-06-05 13:11 <DIR> d-------- C:\QUARANTINE
2008-05-31 14:01 . 2008-05-31 14:01 <DIR> d-------- C:\McAfee
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-31 13:59 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-31 13:59 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-31 13:59 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-31 13:59 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-31 13:59 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-31 13:59 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-31 13:59 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-31 13:58 . 2008-05-31 13:59 <DIR> d-------- C:\Program Files\McAfee
2008-05-31 13:58 . 2008-05-31 13:58 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-31 00:01 . 2008-05-31 00:06 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-05-30 15:32 . 2008-05-30 15:32 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 15:33 . 2008-05-29 15:33 <DIR> d-------- C:\Documents and Settings\Jax\.netbeans-registration
2008-05-29 15:08 . 2003-09-03 16:28 67,200 --a------ C:\WINDOWS\system32\drivers\jusb.sys
2008-05-29 14:33 . 2003-09-05 10:08 245,852 --a------ C:\WINDOWS\system32\jusb.dll
2008-05-29 01:29 . 2008-06-01 13:51 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\Azureus
2008-05-29 01:29 . 2008-05-29 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-27 17:13 . 2008-05-27 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Amazon
2008-05-27 17:13 . 2008-05-27 17:13 <DIR> d-------- C:\Amazon Unbox
2008-05-27 17:12 . 2008-05-31 00:00 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-24 13:09 . 2008-05-24 13:09 <DIR> d-------- C:\Documents and Settings\Jax\Application Data\InterVideo
2008-05-22 13:06 . 2008-05-22 13:06 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 17:33 . 2008-05-15 17:33 <DIR> d-------- C:\WINDOWS\system32\cvirte
2008-05-12 08:26 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 20:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 05:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 02:44 --------- d-----w C:\Program Files\VPNremote for Windows XP
2008-05-30 03:21 --------- d-----w C:\Documents and Settings\Jax\Application Data\Dev-Cpp
2008-05-26 20:57 --------- d-----w C:\Program Files\Google
2008-05-22 18:39 --------- d-----w C:\Documents and Settings\Jax\Application Data\AdobeUM
2008-05-22 16:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\National Instruments
2008-05-15 23:38 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-05-14 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 18:30 --------- d-----w C:\Documents and Settings\Jax\Application Data\Webshots
2008-05-04 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\packages
2008-05-04 12:48 286,720 ------w C:\WINDOWS\Setup1.exe
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-17 18:29 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2008-04-10 19:10 --------- d-----w C:\Documents and Settings\Jax\Application Data\National Instruments
2008-04-06 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-06 21:06 --------- d-----w C:\Program Files\SAPpc
2007-11-08 21:40 851,968 ----a-w C:\Program Files\internet explorer\plugins\libeay32.dll
2004-03-16 00:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2005-10-12 22:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 17:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-25 01:03 118,784 ----a-w C:\Program Files\internet explorer\plugins\LV85ActiveXControl.dll
2007-11-08 21:40 348,160 ----a-w C:\Program Files\internet explorer\plugins\msvcr71.dll
2007-11-08 21:40 950,272 ----a-w C:\Program Files\internet explorer\plugins\quickMksAx.dll
2007-11-08 21:40 159,744 ----a-w C:\Program Files\internet explorer\plugins\ssleay32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-05_12.25.40.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 18:22:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 05:00:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 05:02:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_fa8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="D:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40 4167376]
"DW6"="C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe" [2008-05-14 13:41 785520]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 16:29 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-01 14:04 7557120]
"nwiz"="nwiz.exe" [2006-05-01 14:04 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="C:\WINDOWS\system32\nvsysrot.dll" [2006-05-01 14:04 49152]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 19:36 30208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 18:32 761945]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 15:02 352256]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2005-05-31 23:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 07:20 122940]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22 3739648]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="D:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 13:40 4167376]

C:\Documents and Settings\Jax\Start Menu\Programs\Startup\
Webshots.lnk - D:\Program Files\Webshots\Launcher.exe [2008-05-04 12:30:34 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-18 23:44:42 25214]
Amazon Unbox.lnk - D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2007-07-11 17:25:20 97320]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-01-19 15:35:06 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-05 19:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\VPNremote for Windows XP\\VPNremote.exe"=
"D:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"D:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R0 avipsec;Avaya IPSEC Driver;C:\WINDOWS\system32\drivers\avipsec.sys [2005-09-13 16:50]
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
R1 VProtocol;AVAYA VPNet VProtocol;C:\WINDOWS\system32\DRIVERS\vproto2k.sys [2005-09-13 16:50]
R2 AvService;Avaya VPN Service;C:\Program Files\VPNremote for Windows XP\AvVpnService.exe [2005-09-13 16:50]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2004-07-26 10:00]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 20:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 19:59]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [2001-03-01 01:15]
R2 mxssvr;NI Configuration Manager;"D:\Program Files\National Instruments\MAX\nimxs.exe" [2007-03-08 17:29]
R2 NITaggerService;National Instruments Variable Engine;"D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-07-23 09:29]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 19:33]
R3 ndisva;Avaya VPNet Virtual Adapter Driver;C:\WINDOWS\system32\DRIVERS\vadapter.sys [2005-09-13 16:50]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-05-05 19:12]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]
S2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" []
S2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" []
S3 JUSB;JUSB.Sys Java USB Driver;C:\WINDOWS\system32\drivers\JUSB.sys [2003-09-03 16:28]
S3 krdpdre;krdpdre;C:\DOCUME~1\Jax\LOCALS~1\Temp\krdpdre.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 05:04:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\AvayaGina.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Windows Defender\MsMpEng.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
D:\Program Files\Webshots\Webshots.scr
.
**************************************************************************
.
Completion time: 2008-06-05 23:04:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 05:04:42
ComboFix2.txt 2008-06-05 18:25:59
ComboFix3.txt 2008-06-01 22:01:06
ComboFix4.txt 2008-06-01 20:18:25
ComboFix5.txt 2008-06-01 20:14:38

Pre-Run: 538,140,672 bytes free
Post-Run: 536,576,000 bytes free

289 --- E O F --- 2008-06-05 18:45:09


HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:41 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\Program Files\National Instruments\MAX\nimxs.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSBattM.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\WINDOWS\system32\RAMASST.exe
D:\Program Files\Webshots\webshots.scr
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = co.proxy.avaya.com:8000
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [DW6] "C:\PROGRA~1\THEWEA~1\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "D:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {338095E4-1806-4BA3-AB51-38A3179200E9} (QuickMksAxCtl Class) - http://127.0.0.1:8308/ui/plugin/vmware-vmrc-win32-x86.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Avaya VPN Service (AvService) - Unknown owner - C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - Unknown owner - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe (file missing)
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - Unknown owner - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe (file missing)
O23 - Service: Imapi Helper - Alex Feinman - D:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - D:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - D:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 12360 bytes
Blade81
2008-06-06, 09:27
Hi

Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Jax840621
2008-06-06, 10:28
Hi

Just FYI, it will probably be a few hours (6 am GMT-6) before my next reply.

Here is the output from GMER:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-06 01:23:33
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF74EF0D0]
SSDT sptd.sys ZwEnumerateKey [0xF74F4E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xF74F51BA]
SSDT sptd.sys ZwOpenKey [0xF74EF0B0]
SSDT sptd.sys ZwQueryKey [0xF74F5292]
SSDT sptd.sys ZwQueryValueKey [0xF74F5112]
SSDT sptd.sys ZwSetValueKey [0xF74F5324]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB5B852F5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB5B85321]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB5B8530B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB5B8534D]

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwTerminateProcess 8058E281 5 Bytes JMP B5B85351 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 805927D8 1 Byte [ E9 ]
PAGE ntoskrnl.exe!ZwDeleteValueKey + 2 805927DA 5 Bytes [ 2B, 5F, 35, 90, 90 ]
PAGE ntoskrnl.exe!ZwDeleteKey 80593B81 7 Bytes JMP B5B852F9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 806543FF 7 Bytes JMP B5B8530F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BA8F962C 5 Bytes JMP 89704780
? System32\Drivers\ah1up000.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F7505886] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7505832] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7527892] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F7505886] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74EFAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74EFC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74EFB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74F0748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74F061E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7504ACA] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8990A1E8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Udfs \UdfsCdRom 88A3C1E8
Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk 88A3C1E8
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Driver\NetBT \Device\NetBT_Tcpip_{FD5921EE-E9D5-416A-9D23-CC2A40A12387} 8898F1E8

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8967B1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8990C1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8990C1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8990C1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8990C1E8
Device \Driver\usbuhci \Device\USBPDO-1 8967B1E8
Device \Driver\usbuhci \Device\USBPDO-2 8967B1E8
Device \Driver\usbuhci \Device\USBPDO-3 8967B1E8
Device \Driver\usbehci \Device\USBPDO-4 896641E8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Cdrom \Device\CdRom0 8964A1E8
Device \Driver\PCI_NTPNP3224 \Device\00000059 sptd.sys
Device \Driver\PCI_NTPNP3224 \Device\00000059 sptd.sys
Device \Driver\Cdrom \Device\CdRom1 8964A1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 898991E8
Device \Driver\atapi \Device\Ide\IdePort0 898991E8
Device \Driver\atapi \Device\Ide\IdePort1 898991E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 898991E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9126E067-064D-418F-854C-4D15F407A260} 8898F1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5BB33085-543A-46B4-9DDE-544164CF4ACB} 8898F1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8898F1E8
Device \Driver\NetBT \Device\NetbiosSmb 8898F1E8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8967B1E8
Device \Driver\usbuhci \Device\USBFDO-1 8967B1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 889897A0
Device \Driver\usbuhci \Device\USBFDO-2 8967B1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 889897A0
Device \Driver\usbuhci \Device\USBFDO-3 8967B1E8
Device \Driver\Ftdisk \Device\FtControl 8989A1E8
Device \Driver\usbehci \Device\USBFDO-4 896641E8
Device \Driver\ah1up000 \Device\Scsi\ah1up0001 896BA1E8
Device \Driver\ah1up000 \Device\Scsi\ah1up0001Port2Path0Target0Lun0 896BA1E8
Device \FileSystem\Cdfs \Cdfs 8893D1E8
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 d:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBE 0x7C 0xC0 0x97 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE4 0xAD 0xA8 0x60 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0xA7 0x7A 0xD7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 d:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBE 0x7C 0xC0 0x97 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE4 0xAD 0xA8 0x60 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0xA7 0x7A 0xD7 ...

---- EOF - GMER 1.0.14 ----
Blade81
2008-06-06, 17:55
Hi

That looks ok. If problem isn't still appearing then it's time to take off those items in system restore and uninstall ComboFix. Following instructions include also hints for making system safer. :)


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK



Next we remove all used tools.

Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.

Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
Jax840621
2008-06-06, 20:02
Hi,
Thank you for all of your help.
I couldn't get OTMoveIt2 to run due to corporate firewall restrictions.(I brought my laptop to work with me). I'll run it when I get home. If I turn on Windows Automatic Updates, will I still need to visit windowsupdate.com? I have updated Java and will now start updating windows/IE.
Blade81
2008-06-06, 20:31
If I turn on Windows Automatic Updates, will I still need to visit windowsupdate.com?
Hi

You can visit the site occasionally but don't have to do it all the time since the critical ones should come through automatically. :)
Jax840621
2008-06-07, 06:29
Thank you for all of your help. This is the first time I've had something like this and I thought it would be a lot worse. This forum is priceless and your help has been very appreciated.
Blade81
2008-06-07, 14:02
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.