Help with Virtumonde

[ocagent]

I need help removing malware from my computer.

Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:02 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\hohederu\runifudq.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\dizonmzu.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: XBTP09902 Class - {A68282FC-D719-41c1-BC7B-78E138564025} - C:\PROGRA~1\CARTOO~1\CARTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: CALIFORNIA ASSOCIATION OF REALTORS® Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\CAR Toolbar\cartoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [heguvhaq] C:\WINDOWS\system32\ngridqfm.exe
O4 - HKCU\..\Run: [kvravswo] C:\WINDOWS\system32\dizonmzu.exe
O4 - HKCU\..\Run: [ojlrhgyr] C:\WINDOWS\system32\yvmhexoh.exe
O4 - HKCU\..\Run: [jhouznjw] C:\WINDOWS\system32\xstgnatq.exe
O4 - HKLM\..\Policies\Explorer\Run: [BUN9ebww10] C:\Documents and Settings\All Users\Application Data\hohederu\runifudq.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: CALIFORNIA ASSOCIATION OF REALTORS® Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\CAR Toolbar\cartoolbar.dll
O9 - Extra 'Tools' menuitem: CALIFORNIA ASSOCIATION OF REALTORS® Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\CAR Toolbar\cartoolbar.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.samsung.com/plugin/vmpins...m/3d/SGH-i607/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://24.248.102.30/Viewer/ActiveXV...iveXViewer.Cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 15257 bytes


The Kaz file

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 3:37:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 729108
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 76779
Number of viruses found: 8
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:37:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC34.zip/def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC34.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Omar Castro\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Omar Castro\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Application Data\Microsoft\Feeds\Mortgage Rates Updates~.feed-ms Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temp\WCESMgr.log Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temp\~DFEBC4.tmp Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temp\~DFEBD1.tmp Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temp\~DFEDF6.tmp Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temp\~DFEE03.tmp Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Omar Castro\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Omar Castro\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Omar Castro\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CAR Toolbar\cartoolbar.dll Infected: not-a-virus:AdWare.Win32.MegaKiss.b skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7C58D00D-578C-4EB2-A7BB-F36733EC38E7}\RP881\A0170221.dll Infected: Trojan.Win32.Vapsup.egq skipped
C:\System Volume Information\_restore{7C58D00D-578C-4EB2-A7BB-F36733EC38E7}\RP881\A0170222.dll Infected: Trojan.Win32.Vapsup.eke skipped
C:\System Volume Information\_restore{7C58D00D-578C-4EB2-A7BB-F36733EC38E7}\RP888\A0172868.exe Infected: Trojan-Downloader.Win32.Obfuscated.ub skipped
C:\System Volume Information\_restore{7C58D00D-578C-4EB2-A7BB-F36733EC38E7}\RP888\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB830680$\keymgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\olgdqarf.exe Infected: Trojan.Win32.Vapsup.ego skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jelmdani.exe Infected: Trojan-Downloader.Win32.Obfuscated.ub skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat Object is locked skipped
C:\WINDOWS\vadokmxt.dll Infected: Trojan.Win32.Vapsup.eke skipped
C:\WINDOWS\wdpoefan.dll Infected: Trojan.Win32.Vapsup.eke skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\wxvgsdbq.exe Infected: Trojan.Win32.Vapsup.egs skipped

Scan process completed.

[Rorschach112]

Hello

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  [kill explorer]
  C:\Program Files\CAR Toolbar\cartoolbar.dll 
  C:\Program Files\Morpheus\morpheustoolbar.exe
  C:\WINDOWS\olgdqarf.exe
  C:\WINDOWS\system32\jelmdani.exe 
  C:\WINDOWS\vadokmxt.dll 
  C:\WINDOWS\wdpoefan.dll
  C:\WINDOWS\wxvgsdbq.exe
  purity 
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/comb...o-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[ocagent]

Explorer killed successfully
C:\Program Files\CAR Toolbar\cartoolbar.dll unregistered successfully.
C:\Program Files\CAR Toolbar\cartoolbar.dll moved successfully.
C:\Program Files\Morpheus\morpheustoolbar.exe moved successfully.
C:\WINDOWS\olgdqarf.exe moved successfully.
File/Folder C:\WINDOWS\system32\jelmdani.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\vadokmxt.dll NOT unregistered.
C:\WINDOWS\vadokmxt.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\wdpoefan.dll
C:\WINDOWS\wdpoefan.dll NOT unregistered.
C:\WINDOWS\wdpoefan.dll moved successfully.
C:\WINDOWS\wxvgsdbq.exe moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_204138

[ocagent]

ComboFix 08-04-27.3 - Omar Castro 2008-04-28 21:54:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.165 [GMT -7:00]
Running from: C:\Documents and Settings\Omar Castro\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Omar Castro\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Desktop\blackbird.jpg
C:\Documents and Settings\Guest\Desktop\EditorFKWP1.5.exe
C:\Documents and Settings\Guest\Desktop\EditorFKWP2.0.exe
C:\Documents and Settings\Guest\Desktop\filemanagerclient.exe
C:\Documents and Settings\Guest\Desktop\fkwp1.5.exe
C:\Documents and Settings\Guest\Desktop\fkwp2.0.exe
C:\Documents and Settings\Guest\Desktop\fwebd.exe
C:\Documents and Settings\Guest\Desktop\FWebdEditor.exe
C:\Documents and Settings\Guest\Desktop\Trojan.Win32.BlackBird.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 20:41 . 2008-04-28 20:41 <DIR> d-------- C:\_OTMoveIt
2008-04-28 16:54 . 2008-04-28 16:54 102,400 --a------ C:\WINDOWS\system32\ezyrmnsl.exe
2008-04-28 13:19 . 2008-04-28 13:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 13:19 . 2008-04-28 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 11:56 . 2008-04-25 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tnuvbuii
2008-04-25 08:29 . 2008-04-25 08:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 12:52 . 2008-04-24 12:52 106,496 --a------ C:\WINDOWS\system32\xstgnatq.exe
2008-04-22 20:10 . 2008-04-22 20:10 106,496 --a------ C:\WINDOWS\system32\yvmhexoh.exe
2008-04-22 20:02 . 2008-04-22 20:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-22 20:02 . 2008-04-22 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-22 20:01 . 2008-04-22 20:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 18:45 . 2008-04-22 18:45 <DIR> d-------- C:\VundoFix Backups
2008-04-22 17:38 . 2008-04-22 17:38 98,304 --a------ C:\WINDOWS\system32\dizonmzu.exe
2008-04-21 08:56 . 2008-04-21 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hohederu
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\Omar Castro\Application Data\Intel
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Intel
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-17 08:36 . 2008-04-17 08:36 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-04-17 08:36 . 2008-04-17 08:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-04-17 08:34 . 2008-04-17 08:34 <DIR> d-------- C:\inteltemp
2008-04-17 08:34 . 2006-06-29 03:27 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-17 08:34 . 2006-06-29 03:49 2,206,720 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-04-17 08:34 . 2006-06-29 03:26 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-03-31 08:18 . 2008-04-28 08:09 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-28 18:00 --------- d-----w C:\Program Files\Apple Software Update
2008-04-28 15:16 --------- d-----w C:\Program Files\iTunes
2008-04-28 15:16 --------- d-----w C:\Program Files\iPod
2008-04-28 15:14 --------- d-----w C:\Program Files\QuickTime
2008-04-23 02:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 16:07 --------- d-----w C:\Program Files\Common Files\AnswerWorks 5.0
2008-04-21 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 16:02 --------- d-----w C:\Program Files\Toshiba
2008-04-20 21:41 --------- d-----w C:\Documents and Settings\Guest\Application Data\Apple Computer
2008-04-17 15:35 --------- d-----w C:\Program Files\Intel
2008-03-31 15:23 --------- d-----w C:\Documents and Settings\Omar Castro\Application Data\Apple Computer
2008-03-27 16:10 --------- d-----w C:\Program Files\Quicken
2008-03-24 18:59 --------- d-----w C:\Documents and Settings\Omar Castro\Application Data\Intuit
2008-03-24 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2001-11-30 18:09 49,152 -c----w C:\Program Files\Common Files\HDvAvi.dll
2001-08-22 21:15 245,760 -c--a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-22 21:13 61,440 -c--a-w C:\WINDOWS\inf\i386\gl.dll
2001-08-22 21:13 32,768 -c--a-w C:\WINDOWS\inf\i386\Pmicro.dll
2001-08-04 02:29 13,824 -c--a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 03:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:27 160592]
"heguvhaq"="C:\WINDOWS\system32\ngridqfm.exe" [ ]
"kvravswo"="C:\WINDOWS\system32\dizonmzu.exe" [2008-04-22 17:38 98304]
"ojlrhgyr"="C:\WINDOWS\system32\yvmhexoh.exe" [2008-04-22 20:10 106496]
"jhouznjw"="C:\WINDOWS\system32\xstgnatq.exe" [2008-04-24 12:52 106496]
"gybnnvlg"="C:\WINDOWS\system32\ezyrmnsl.exe" [2008-04-28 16:54 102400]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [ ]
"pvlpoijh"="C:\WINDOWS\system32\jelmdani.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"TFncKy"="TFncKy.exe" []
"TFNF5"="TFNF5.exe" [2004-06-28 10:16 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 20:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 15:07 49152]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 18:00 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-06-17 01:04 122939]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 17:37 151552]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-09 15:58 3665920]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 14:12 258048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38 802816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"Venturi Configurator"="C:\Program Files\Venturi2\Configurator\ventcfg.exe" [ ]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 02:51 172032]
"TOSHIBA Picture Enhancement Utility"="C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-07-16 15:24 638976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"StrgSync.exe"="C:\Program Files\StorageSync\StrgSync.exe" [2005-10-07 20:01 3032576]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 13:45 135168]
"nwiz"="nwiz.exe" [2004-07-09 15:58 790528 C:\WINDOWS\system32\nwiz.exe]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2006-05-04 16:59 40960]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32 696320]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 00:56 50176]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 15:00 88363 C:\WINDOWS\agrsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 24576 C:\WINDOWS\system32\000StTHK.exe]

C:\Documents and Settings\Omar Castro\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 15:06:14 59080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"BUN9ebww10"= C:\Documents and Settings\All Users\Application Data\hohederu\runifudq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Toshiba\\Ivp\\NetInt\\netint.exe"= C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ezgmntr;EZ GIG II Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\ezgmntr.sys [2007-08-22 15:08]
R2 ezgfsfilt;EZ GIG II FS Filter;C:\WINDOWS\system32\DRIVERS\ezgfsfilt.sys [2007-08-22 15:08]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;C:\WINDOWS\system32\DRIVERS\ttv200x.sys [2004-07-27 00:11]
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 apusbsnt;AirPrime USB Modem Device Driver;C:\WINDOWS\system32\DRIVERS\apusbsnt.sys [2004-07-15 11:00]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 14:12]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 14:12]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 11:27]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 15:07:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 04:45:10 C:\WINDOWS\Tasks\User_Feed_Synchronization-{E3F3480E-2E18-4F9B-89C1-13ABF00C3F85}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 21:57:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 21:58:44
ComboFix-quarantined-files.txt 2008-04-29 04:58:14
ComboFix2.txt 2008-04-23 04:43:02

Pre-Run: 46,866,497,536 bytes free
Post-Run: 46,947,348,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

186 --- E O F --- 2008-04-11 22:14:39

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ezyrmnsl.exe
C:\WINDOWS\system32\xstgnatq.exe
C:\WINDOWS\system32\yvmhexoh.exe
C:\WINDOWS\system32\dizonmzu.exe

Folder::
C:\Documents and Settings\All Users\Application Data\tnuvbuii
C:\Documents and Settings\All Users\Application Data\hohederu

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log

[ocagent]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:47 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\xszebsxc.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [amschzfz] C:\WINDOWS\system32\xszebsxc.exe
O4 - HKLM\..\Policies\Explorer\Run: [BUN9ebww10] C:\Documents and Settings\All Users\Application Data\hohederu\runifudq.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.samsung.com/plugin/vmpins...m/3d/SGH-i607/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://24.248.102.30/Viewer/ActiveXV...iveXViewer.Cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 15376 bytes

[ocagent]

fake windows trojan.xs
yellow triangle with ! stating my computer is infected

I really appreciate your assistance

[Rorschach112]

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKCU\..\Run: [amschzfz] C:\WINDOWS\system32\xszebsxc.exe
O4 - HKLM\..\Policies\Explorer\Run: [BUN9ebww10] C:\Documents and Settings\All Users\Application Data\hohederu\runifudq.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\xszebsxc.exe

Folder::
C:\Documents and Settings\All Users\Application Data\hohederu

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Make sure you post the ComboFix log and a new HijackThis log

[ocagent]

ComboFix 08-04-27.3 - Omar Castro 2008-04-29 10:27:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT -7:00]
Running from: C:\Documents and Settings\Omar Castro\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Omar Castro\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 23:15 . 2008-04-28 23:15 106,496 --a------ C:\WINDOWS\system32\xszebsxc.exe
2008-04-28 20:41 . 2008-04-28 20:41 <DIR> d-------- C:\_OTMoveIt
2008-04-28 13:19 . 2008-04-28 13:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 13:19 . 2008-04-28 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 08:29 . 2008-04-25 08:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 20:02 . 2008-04-22 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-22 18:45 . 2008-04-22 18:45 <DIR> d-------- C:\VundoFix Backups
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\Omar Castro\Application Data\Intel
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Intel
2008-04-17 08:37 . 2008-04-17 08:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-17 08:36 . 2008-04-17 08:36 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-04-17 08:36 . 2008-04-17 08:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-04-17 08:34 . 2008-04-17 08:34 <DIR> d-------- C:\inteltemp
2008-04-17 08:34 . 2006-06-29 03:27 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-17 08:34 . 2006-06-29 03:49 2,206,720 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-04-17 08:34 . 2006-06-29 03:26 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-03-31 08:18 . 2008-04-28 08:09 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-28 18:00 --------- d-----w C:\Program Files\Apple Software Update
2008-04-28 15:16 --------- d-----w C:\Program Files\iTunes
2008-04-28 15:16 --------- d-----w C:\Program Files\iPod
2008-04-28 15:14 --------- d-----w C:\Program Files\QuickTime
2008-04-23 02:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 16:07 --------- d-----w C:\Program Files\Common Files\AnswerWorks 5.0
2008-04-21 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 16:02 --------- d-----w C:\Program Files\Toshiba
2008-04-20 21:41 --------- d-----w C:\Documents and Settings\Guest\Application Data\Apple Computer
2008-04-17 15:35 --------- d-----w C:\Program Files\Intel
2008-03-31 15:23 --------- d-----w C:\Documents and Settings\Omar Castro\Application Data\Apple Computer
2008-03-27 16:10 --------- d-----w C:\Program Files\Quicken
2008-03-24 18:59 --------- d-----w C:\Documents and Settings\Omar Castro\Application Data\Intuit
2008-03-24 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2001-11-30 18:09 49,152 -c----w C:\Program Files\Common Files\HDvAvi.dll
2001-08-22 21:15 245,760 -c--a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-22 21:13 61,440 -c--a-w C:\WINDOWS\inf\i386\gl.dll
2001-08-22 21:13 32,768 -c--a-w C:\WINDOWS\inf\i386\Pmicro.dll
2001-08-04 02:29 13,824 -c--a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_21.58.04.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 04:25:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 16:32:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 16:32:43 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 03:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:27 160592]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [ ]
"pvlpoijh"="C:\WINDOWS\system32\jelmdani.exe" [ ]
"ojlrhgyr"="C:\WINDOWS\system32\yvmhexoh.exe" [ ]
"kvravswo"="C:\WINDOWS\system32\dizonmzu.exe" [ ]
"jhouznjw"="C:\WINDOWS\system32\xstgnatq.exe" [ ]
"heguvhaq"="C:\WINDOWS\system32\ngridqfm.exe" [ ]
"gybnnvlg"="C:\WINDOWS\system32\ezyrmnsl.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"TFncKy"="TFncKy.exe" []
"TFNF5"="TFNF5.exe" [2004-06-28 10:16 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 20:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 15:07 49152]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 18:00 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-06-17 01:04 122939]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 17:37 151552]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-09 15:58 3665920]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 14:12 258048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38 802816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"Venturi Configurator"="C:\Program Files\Venturi2\Configurator\ventcfg.exe" [ ]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 02:51 172032]
"TOSHIBA Picture Enhancement Utility"="C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-07-16 15:24 638976]
"StrgSync.exe"="C:\Program Files\StorageSync\StrgSync.exe" [2005-10-07 20:01 3032576]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 13:45 135168]
"nwiz"="nwiz.exe" [2004-07-09 15:58 790528 C:\WINDOWS\system32\nwiz.exe]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32 696320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 15:00 88363 C:\WINDOWS\agrsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2006-05-04 16:59 40960]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 00:56 50176]

C:\Documents and Settings\Omar Castro\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 15:06:14 59080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Toshiba\\Ivp\\NetInt\\netint.exe"= C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ezgmntr;EZ GIG II Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\ezgmntr.sys [2007-08-22 15:08]
R2 ezgfsfilt;EZ GIG II FS Filter;C:\WINDOWS\system32\DRIVERS\ezgfsfilt.sys [2007-08-22 15:08]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 15:18]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;C:\WINDOWS\system32\DRIVERS\ttv200x.sys [2004-07-27 00:11]
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 apusbsnt;AirPrime USB Modem Device Driver;C:\WINDOWS\system32\DRIVERS\apusbsnt.sys [2004-07-15 11:00]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 14:12]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 14:12]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 11:27]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 15:07:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 17:30:58 C:\WINDOWS\Tasks\User_Feed_Synchronization-{E3F3480E-2E18-4F9B-89C1-13ABF00C3F85}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 10:30:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-29 10:31:59
ComboFix-quarantined-files.txt 2008-04-29 17:31:42
ComboFix2.txt 2008-04-29 14:33:56
ComboFix3.txt 2008-04-29 04:58:45
ComboFix4.txt 2008-04-23 04:43:02

Pre-Run: 46,979,194,880 bytes free
Post-Run: 46,963,630,080 bytes free

164 --- E O F --- 2008-04-11 22:14:39







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:46 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [pvlpoijh] C:\WINDOWS\system32\jelmdani.exe
O4 - HKCU\..\Run: [ojlrhgyr] C:\WINDOWS\system32\yvmhexoh.exe
O4 - HKCU\..\Run: [kvravswo] C:\WINDOWS\system32\dizonmzu.exe
O4 - HKCU\..\Run: [jhouznjw] C:\WINDOWS\system32\xstgnatq.exe
O4 - HKCU\..\Run: [heguvhaq] C:\WINDOWS\system32\ngridqfm.exe
O4 - HKCU\..\Run: [gybnnvlg] C:\WINDOWS\system32\ezyrmnsl.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Customize - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra 'Tools' menuitem: Customize Menu - {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.samsung.com/plugin/vmpins...m/3d/SGH-i607/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://24.248.102.30/Viewer/ActiveXV...iveXViewer.Cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downl...ameManager.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 15805 bytes

[Rorschach112]

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKCU\..\Run: [pvlpoijh] C:\WINDOWS\system32\jelmdani.exe
O4 - HKCU\..\Run: [ojlrhgyr] C:\WINDOWS\system32\yvmhexoh.exe
O4 - HKCU\..\Run: [kvravswo] C:\WINDOWS\system32\dizonmzu.exe
O4 - HKCU\..\Run: [jhouznjw] C:\WINDOWS\system32\xstgnatq.exe
O4 - HKCU\..\Run: [heguvhaq] C:\WINDOWS\system32\ngridqfm.exe
O4 - HKCU\..\Run: [gybnnvlg] C:\WINDOWS\system32\ezyrmnsl.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  [kill explorer]
  C:\WINDOWS\system32\xszebsxc.exe
  purity 
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Reboot and do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.