Infected with Virtumonde and probably others, please help

fujil · May 27, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:43 AM, on 27/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TRot.exe] c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM8bd4b0d0] Rundll32.exe "C:\WINDOWS\system32\ddnpebes.dll",s
O4 - HKLM\..\Run: [88e7834c] rundll32.exe "C:\WINDOWS\system32\ixghqqlx.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199781481968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing)

--
End of file - 8563 bytes

------------------------------------------------------------
Kaspersky scan is long, the files marked infected are:

Number of viruses found 23
Number of infected objects 95
Number of suspicious objects 0

C:\Documents and Settings\All Users\Application Data\BOC425\evidence.boc Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\Documents and Settings\boss\Local Settings\Temporary Internet Files\Content.IE5\BPH91119\kb516107[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\Documents and Settings\boss\Local Settings\Temporary Internet Files\Content.IE5\UDVJCIL4\kb516107[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP132\A0024166.exe/is153017.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qij skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP132\A0024166.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP132\A0024167.msi/is153017.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qij skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP132\A0024167.msi CAB: infected - 1 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP146\A0033497.exe/stream/data0010 Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP146\A0033497.exe/stream Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP146\A0033497.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP156\A0041542.dll Infected: Trojan-Downloader.Win32.Mutant.yq skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP156\A0041559.sys Infected: Trojan-Dropper.Win32.Agent.rek skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP156\A0041565.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041581.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041583.exe Infected: Trojan-Proxy.Win32.Small.oz skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041584.sys Infected: Rootkit.Win32.Qandr.af skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041586.exe Infected: Trojan.Win32.Agent.kwy skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041587.exe Infected: Trojan-Downloader.Win32.Small.wab skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041588.exe Infected: Trojan-Downloader.Win32.Homles.bp skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041589.exe Infected: SpamTool.Win32.Agent.ip skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041728.dll Infected: Trojan-Downloader.Win32.Mutant.yq skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041729.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041730.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP157\A0041731.exe Infected: Backdoor.Win32.Agent.ggk skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042033.exe Infected: Trojan-Downloader.Win32.Agent.plz skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042102.exe/data0000.cab/AUTOKE~1.EXE/data0000.cab/install.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.tsv skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042102.exe/data0000.cab/AUTOKE~1.EXE/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.tsv skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042102.exe/data0000.cab/AUTOKE~1.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.tsv skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042102.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.tsv skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042102.exe Rsrc-Package: infected - 4 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042111.exe/data0000.cab/TuneUp2008 Keymaker.exe Infected: Backdoor.Win32.Rbot.pfa skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042111.exe/data0000.cab/is154715.exe Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042111.exe/data0000.cab Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042111.exe Rsrc-Package: infected - 3 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042112.exe/data0000.cab/is154715.exe Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042112.exe/data0000.cab Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042112.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042115.exe/data0000.cab/Keygen 2.exe Infected: Trojan-Downloader.Win32.Agent.ifq skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042115.exe/data0000.cab/is154715.exe Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042115.exe/data0000.cab Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042115.exe Rsrc-Package: infected - 3 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042116.exe/data0000.cab/is154715.exe Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042116.exe/data0000.cab Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042116.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042117.exe/data0000.cab/is154715.exe Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042117.exe/data0000.cab Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042117.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042337.sys Infected: Trojan-Dropper.Win32.Agent.rek skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042339.sys Infected: Trojan-Dropper.Win32.Agent.rek skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042340.dll Infected: Trojan-Downloader.Win32.Mutant.yq skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042341.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042342.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP161\A0042343.exe Infected: Trojan-Downloader.Win32.Homles.bp skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP165\A0042691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\A0042723.exe/data0000.cab/is154715.exe Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\A0042723.exe/data0000.cab Infected: Trojan-Downloader.Win32.Injecter.li skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\A0042723.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\A0042730.msi/is153553.exe Infected: Trojan.Win32.Zapchast.gb skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\A0042730.msi CAB: infected - 1 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\A0042733.msi/is153553.exe Infected: Trojan.Win32.Zapchast.gb skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\A0042733.msi CAB: infected - 1 skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP166\change.log Object is locked skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP63\A0015753.exe/stream/data0050 Infected: not-a-virus:AdWare.Win32.Shopper.r skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP63\A0015753.exe/stream Infected: not-a-virus:AdWare.Win32.Shopper.r skipped
C:\System Volume Information\_restore{0C16E88B-C8D3-4B88-A534-8D600B484EB3}\RP63\A0015753.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\ddnpebes.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\WINDOWS\system32\jkkKaArP.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trz skipped
C:\WINDOWS\system32\jyyddvmw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\WINDOWS\system32\rqRKefDU.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trz skipped
C:\WINDOWS\system32\rwouygkl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\WINDOWS\system32\svchost.ex Infected: Trojan.Win32.Obfuscated.arg skipped
C:\WINDOWS\system32\WinNt32.dl_ Infected: Trojan-Downloader.Win32.Mutant.yq skipped

-----------------------------------------------------
Help is sincerely appreciated! Thank you in advance.

Rorschach112 · May 27, 2008

Hello

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

[kill explorer]
C:\Documents and Settings\All Users\Application Data\BOC425\evidence.boc 
C:\WINDOWS\system32\ddnpebes.dll 
C:\WINDOWS\system32\jkkKaArP.dll 
C:\WINDOWS\system32\jyyddvmw.dll 
C:\WINDOWS\system32\rqRKefDU.dll
C:\WINDOWS\system32\rwouygkl.dll 
C:\WINDOWS\system32\svchost.ex 
C:\WINDOWS\system32\WinNt32.dl_ 
purity 
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

fujil · May 27, 2008

Explorer killed successfully
C:\Documents and Settings\All Users\Application Data\BOC425\evidence.boc moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ddnpebes.dll
C:\WINDOWS\system32\ddnpebes.dll NOT unregistered.
C:\WINDOWS\system32\ddnpebes.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkKaArP.dll
C:\WINDOWS\system32\jkkKaArP.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jkkKaArP.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jyyddvmw.dll
C:\WINDOWS\system32\jyyddvmw.dll NOT unregistered.
C:\WINDOWS\system32\jyyddvmw.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRKefDU.dll
C:\WINDOWS\system32\rqRKefDU.dll NOT unregistered.
C:\WINDOWS\system32\rqRKefDU.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rwouygkl.dll
C:\WINDOWS\system32\rwouygkl.dll NOT unregistered.
C:\WINDOWS\system32\rwouygkl.dll moved successfully.
C:\WINDOWS\system32\svchost.ex moved successfully.
C:\WINDOWS\system32\WinNt32.dl_ moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05272008_105501

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkKaArP.dll
C:\WINDOWS\system32\jkkKaArP.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jkkKaArP.dll scheduled to be moved on reboot.

-----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:59 AM, on 27/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\boss\Desktop\HijackThis.exe

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TRot.exe] c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [88e7834c] rundll32.exe "C:\WINDOWS\system32\ixghqqlx.dll",b
O4 - HKLM\..\Run: [BM8bd4b0d0] Rundll32.exe "C:\WINDOWS\system32\ddnpebes.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199781481968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing)

--
End of file - 8400 bytes
----------------------------------------------

I did not run ComboFix because my windows version is Tablet PC Edition and I didn't find the setup disk file required to install the recovery console. What should I do?

Rorschach112 · May 27, 2008

Go ahead and run ComboFix, just leave the Recovery Console step

fujil · May 27, 2008

ComboFix 08-05-26.2 - boss 2008-05-27 12:18:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.547 [GMT -4:00]
Running from: C:\Documents and Settings\boss\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8bd4b0d0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hubpcrpc.exe
C:\WINDOWS\system32\jkkKaXoo.dll
C:\WINDOWS\system32\jpqdyyst.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlckcpuj.exe
C:\WINDOWS\system32\ooXaKkkj.ini
C:\WINDOWS\system32\ooXaKkkj.ini2
C:\WINDOWS\system32\oUCdcMoq.ini
C:\WINDOWS\system32\oUCdcMoq.ini2
C:\WINDOWS\system32\QsBJmnpo.ini
C:\WINDOWS\system32\QsBJmnpo.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 12:06 . 2008-05-27 12:06 <DIR> d-------- C:\Gmail - Fall 2008 Registration -
2008-05-27 12:06 . 2008-05-27 12:06 134,371 --a------ C:\Gmail - Fall 2008 Registration -
2008-05-27 11:13 . 2008-05-27 11:13 <DIR> d-------- C:\how-to-use-combofix_files
2008-05-27 11:13 . 2008-05-27 11:13 46,667 --a------ C:\how-to-use-combofix.htm
2008-05-27 10:57 . 2008-05-27 10:57 <DIR> d-------- C:\WTablet
2008-05-27 10:55 . 2008-05-27 10:55 <DIR> d-------- C:\_OTMoveIt
2008-05-27 04:05 . 2008-05-27 04:05 99,070 --a------ C:\kasperskyreport.html
2008-05-27 01:28 . 2008-05-27 01:28 47,964 --a------ C:\mail.google.com.htm
2008-05-27 01:24 . 2008-05-27 01:24 10,996 --a------ C:\HJTInstall.exe
2008-05-27 01:19 . 2008-05-27 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 01:18 . 2008-05-27 01:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 01:17 . 2008-05-27 12:38 1,416,967 ---hs---- C:\WINDOWS\system32\xlqqhgxi.ini
2008-05-27 01:17 . 2008-05-27 01:17 116,736 --a------ C:\WINDOWS\system32\ixghqqlx.dll
2008-05-26 10:42 . 2008-05-27 01:17 1,408,161 ---hs---- C:\WINDOWS\system32\ynjfapsp.ini
2008-05-26 10:36 . 2008-05-26 10:36 <DIR> d-------- C:\Program Files\ESET
2008-05-26 10:04 . 2008-05-26 10:04 58,368 --a------ C:\WINDOWS\system32\jkkKaArP.dll
2008-05-26 08:28 . 2008-05-26 08:28 <DIR> d-------- C:\TGTC_XP_4.0
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet
2008-05-26 08:19 . 2008-05-27 12:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-26 08:19 . 2008-05-27 12:36 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet
2008-05-26 08:14 . 2008-05-26 08:14 57,856 --a------ C:\WINDOWS\system32\wvUKAtqp.dll
2008-05-26 08:12 . 2008-05-26 08:12 <DIR> d-------- C:\Program Files\ESET(2)
2008-05-26 06:48 . 2008-05-26 06:49 2,082,810 --a------ C:\TGTC_XP_4.0.zip
2008-05-26 05:59 . 2008-05-26 07:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(3)
2008-05-26 05:59 . 2008-05-26 08:17 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(3)
2008-05-26 05:52 . 2008-05-26 05:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(2)
2008-05-26 05:50 . 2008-05-26 05:50 29 --a------ C:\WINDOWS\system32\wsftswig.tmp
2008-05-26 05:45 . 2008-05-26 05:59 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(2)
2008-05-26 05:45 . 2007-09-07 11:04 1,380,680 --a------ C:\WINDOWS\system32\PenTablet.znc
2008-05-26 05:29 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet(2)
2008-05-18 09:22 . 2008-05-18 09:49 <DIR> d-------- C:\CUSTOMIZATION
2008-05-12 22:21 . 2007-09-07 11:16 1,373,480 --a------ C:\WINDOWS\system32\Pen_Tablet.exe
2008-05-12 22:21 . 2007-09-07 11:09 128,296 --a------ C:\WINDOWS\system32\Pen_Tablet.dll
2008-05-12 22:12 . 2008-04-13 20:12 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-12 21:22 . 2008-05-12 21:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-12 20:59 . 2008-04-13 20:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-12 20:58 . 2008-04-13 20:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-12 13:02 . 2007-02-03 11:49 1,689,136 --a------ C:\WINDOWS\system32\PenTablet.cpl
2008-05-12 13:01 . 2007-01-22 14:09 34,736 --a------ C:\WINDOWS\system32\drivers\wisdpen.sys
2008-05-12 13:00 . 2007-09-07 10:55 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-05-12 13:00 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2008-05-12 13:00 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-04 21:49 . 2008-05-04 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-05-04 11:30 . 2008-05-04 11:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-04 11:30 . 2008-05-04 11:30 2,541 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 16:22 --------- d-----w C:\Documents and Settings\boss\Application Data\Launchy
2008-05-27 09:32 485,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 09:29 25,888 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-26 15:49 --------- d-----w C:\Documents and Settings\boss\Application Data\uTorrent
2008-05-26 14:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-14 11:50 --------- d-----w C:\Documents and Settings\boss\Application Data\OpenOffice.org2
2008-05-13 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2008-05-13 02:12 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-05-13 02:06 2,317,312 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-05-13 02:06 2,195,968 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-13 01:27 --------- d-----w C:\Program Files\Windows Journal
2008-05-12 16:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-11 16:32 --------- d-----w C:\Documents and Settings\boss\Application Data\foobar2000
2008-05-04 15:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-04 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 13:42 --------- d-----w C:\Program Files\Picasa2
2008-05-03 13:03 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-05-03 13:03 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-04-22 07:42 --------- d-----w C:\Program Files\Unlocker
2008-04-17 19:44 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-17 19:43 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-04-17 18:34 --------- d-----w C:\Documents and Settings\boss\Application Data\dvdcss
2008-04-14 09:42 971,264 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
.

------- Sigcheck -------

2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 11:36 551424 f66f9f237e4a8fdf1965b352c2c22fb3 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-04-13 20:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\Super Turbo Tango Patcher\Backup\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\system32\user32.dll

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-01-08 04:20 2189312 ac8f71cbe1870d5d998bd7aa3d67ebe5 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2005-09-28 19:35 2015744 48472d224e1703882b4de0e28e205e9b C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 14:31 2195968 28aff3204eef4e6ef4c0da052a73d9c4 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-13 14:31 2023936 7f653a89f6e89e3ae0d49830eece35d4 C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntkrnlpa.exe
2008-05-12 22:06 2195968 bbe055e4a9a645c83e15ccdfcbbb7060 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2008-01-08 04:20 2309632 1c8fdf0bde8930188e029c0d1415bba2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2005-09-28 20:02 2136064 25c36dbc46e8eff2a811769a60715ac5 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 15:24 2317312 9c9fecac9d103522438c96871ed9cd80 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-13 15:24 2145280 40f8880122a030a7e9e1fedea833b33d C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntoskrnl.exe
2008-05-12 22:06 2317312 82e5635484b415aa6030042634c42c6b C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1006080 ab23f85fc5edccc32448f6051e9d17ec C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\Super Turbo Tango Patcher\Backup\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6E95516-27C0-443D-9BA9-ABD8C12BAE16}]
2008-05-26 10:04 58368 --a------ C:\WINDOWS\system32\jkkKaArP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8B4AED6-F411-4453-B64C-6252834765CC}]
C:\WINDOWS\system32\qoMcdCUo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5BCB49F-4326-44E0-B966-9A68ED84A24D}]
C:\WINDOWS\system32\opnmJBsQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 15:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 14:27 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 18:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2005-11-09 23:47 192512 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2005-12-15 18:28 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2005-12-15 18:28 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 21:54 57344 C:\WINDOWS\system32\TOSDCR.exe]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 14:38 342272]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-01-17 20:20 258048]
"CrossMenu"="C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe" [2005-09-20 21:06 798720]
"TRot.exe"="c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2005-11-29 20:37 266240]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-29 00:43 126976]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2008-04-13 20:12 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 08:25 144784]
"88e7834c"="C:\WINDOWS\system32\ixghqqlx.dll" [2008-05-27 01:17 116736]
"BM8bd4b0d0"="C:\WINDOWS\system32\ddnpebes.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 20:38 39264]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [7/16/2007 9:25:20 PM 446464]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [1/4/2006 10:35:12 PM 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B6E95516-27C0-443D-9BA9-ABD8C12BAE16}"= C:\WINDOWS\system32\jkkKaArP.dll [2008-05-26 10:04 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKaArP]
jkkKaArP.dll 2008-05-26 10:04 58368 C:\WINDOWS\system32\jkkKaArP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2008-04-13 20:11 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-22 01:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 07:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
TosBtNP.dll 2006-01-27 15:49 61440 C:\WINDOWS\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2008-04-13 20:12 32256 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TSigNP]
TSigNP.dll 2005-12-28 02:05 53248 C:\WINDOWS\system32\TSigNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 KR10I;KR10I;C:\WINDOWS\system32\drivers\KR10I.sys [2006-02-14 06:50]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 03:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 16:24]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 15:08]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-22 01:55]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-22 01:55]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2005-12-22 01:25]
R2 TabletServicePen;TabletServicePen;C:\WINDOWS\system32\Pen_Tablet.exe [2007-09-07 11:16]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 01:26]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys [2002-09-13 02:48]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-22 01:37]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2005-12-26 21:59]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WISDPen;Wacom Penabled MiniDriver;C:\WINDOWS\system32\DRIVERS\wisdpen.sys [2007-01-22 14:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
S3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2008-04-13 14:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 00:23:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-05-27 16:31:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 12:36:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkKaArP.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ixghqqlx.dll
-> C:\WINDOWS\system32\ljJAPIby.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-27 12:43:28 - machine was rebooted [boss]
ComboFix-quarantined-files.txt 2008-05-27 16:42:16

Pre-Run: 58,744,029,184 bytes free
Post-Run: 58,706,788,352 bytes free

361 --- E O F --- 2008-05-23 17:40:20
-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:19 PM, on 27/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\boss\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TRot.exe] c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM8bd4b0d0] Rundll32.exe "C:\WINDOWS\system32\xktmuarj.dll",s
O4 - HKLM\..\Run: [88e7834c] rundll32.exe "C:\WINDOWS\system32\qcqcwmmd.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199781481968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing)

--
End of file - 8382 bytes
-----------------------------------

By the way, I get this during every startup,
---------------------------
RUNDLL
---------------------------
Error loading C:\WINDOWS\system32\ddnpebes.dll

The specified module could not be found.

---------------------------
OK
---------------------------

------------------------------------
Also, windows/tabs still sometimes randomly pop-up in firefox, winanonymous, systemerrorfixer, or some other odd url.

Rorschach112 · May 27, 2008

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\xlqqhgxi.ini
C:\WINDOWS\system32\ixghqqlx.dll
C:\WINDOWS\system32\ynjfapsp.ini
C:\WINDOWS\system32\jkkKaArP.dll
C:\WINDOWS\system32\wvUKAtqp.dll
C:\WINDOWS\system32\wsftswig.tmp

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B6E95516-27C0-443D-9BA9-ABD8C12BAE16}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKaArP]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also post a new HijackThis log

fujil · May 27, 2008

ComboFix 08-05-26.2 - boss 2008-05-27 14:14:06.5 - NTFSx86
Running from: C:\Documents and Settings\boss\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\boss\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ixghqqlx.dll
C:\WINDOWS\system32\jkkKaArP.dll
C:\WINDOWS\system32\wsftswig.tmp
C:\WINDOWS\system32\wvUKAtqp.dll
C:\WINDOWS\system32\xlqqhgxi.ini
C:\WINDOWS\system32\ynjfapsp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8bd4b0d0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ixghqqlx.dll
C:\WINDOWS\system32\jkkKaArP.dll
C:\WINDOWS\system32\ljJAPIby.dll
C:\WINDOWS\system32\wsftswig.tmp
C:\WINDOWS\system32\wvUKAtqp.dll
C:\WINDOWS\system32\xlqqhgxi.ini
C:\WINDOWS\system32\ybIPAJjl.ini
C:\WINDOWS\system32\ybIPAJjl.ini2
C:\WINDOWS\system32\yjwkbwmd.exe
C:\WINDOWS\system32\ynjfapsp.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 16:07 . 2008-05-27 16:07 109,807 --a------ C:\WINDOWS\BM8bd4b0d0.xml
2008-05-27 16:07 . 2008-05-27 16:07 22 --a------ C:\WINDOWS\pskt.ini
2008-05-27 12:49 . 2008-05-27 16:08 1,488,495 ---hs---- C:\WINDOWS\system32\dmmwcqcq.ini
2008-05-27 12:49 . 2008-05-27 12:49 116,224 --a------ C:\WINDOWS\system32\qcqcwmmd.dll
2008-05-27 12:46 . 2008-05-27 12:46 126,976 --a------ C:\WINDOWS\system32\xktmuarj.dll
2008-05-27 12:06 . 2008-05-27 12:06 <DIR> d-------- C:\Gmail - Fall 2008 Registration -
2008-05-27 12:06 . 2008-05-27 12:06 134,371 --a------ C:\Gmail - Fall 2008 Registration -
2008-05-27 11:13 . 2008-05-27 11:13 <DIR> d-------- C:\how-to-use-combofix_files
2008-05-27 11:13 . 2008-05-27 11:13 46,667 --a------ C:\how-to-use-combofix.htm
2008-05-27 10:57 . 2008-05-27 10:57 <DIR> d-------- C:\WTablet
2008-05-27 10:55 . 2008-05-27 10:55 <DIR> d-------- C:\_OTMoveIt
2008-05-27 04:05 . 2008-05-27 04:05 99,070 --a------ C:\kasperskyreport.html
2008-05-27 01:28 . 2008-05-27 01:28 47,964 --a------ C:\mail.google.com.htm
2008-05-27 01:24 . 2008-05-27 01:24 10,996 --a------ C:\HJTInstall.exe
2008-05-27 01:19 . 2008-05-27 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 01:18 . 2008-05-27 01:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 10:36 . 2008-05-26 10:36 <DIR> d-------- C:\Program Files\ESET
2008-05-26 08:28 . 2008-05-26 08:28 <DIR> d-------- C:\TGTC_XP_4.0
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet
2008-05-26 08:19 . 2008-05-27 16:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-26 08:19 . 2008-05-27 16:06 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet
2008-05-26 08:12 . 2008-05-26 08:12 <DIR> d-------- C:\Program Files\ESET(2)
2008-05-26 06:48 . 2008-05-26 06:49 2,082,810 --a------ C:\TGTC_XP_4.0.zip
2008-05-26 05:59 . 2008-05-26 07:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(3)
2008-05-26 05:59 . 2008-05-26 08:17 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(3)
2008-05-26 05:52 . 2008-05-26 05:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(2)
2008-05-26 05:45 . 2008-05-26 05:59 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(2)
2008-05-26 05:45 . 2007-09-07 11:04 1,380,680 --a------ C:\WINDOWS\system32\PenTablet.znc
2008-05-26 05:29 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet(2)
2008-05-18 09:22 . 2008-05-18 09:49 <DIR> d-------- C:\CUSTOMIZATION
2008-05-12 22:21 . 2007-09-07 11:16 1,373,480 --a------ C:\WINDOWS\system32\Pen_Tablet.exe
2008-05-12 22:21 . 2007-09-07 11:09 128,296 --a------ C:\WINDOWS\system32\Pen_Tablet.dll
2008-05-12 22:12 . 2008-04-13 20:12 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-12 21:22 . 2008-05-12 21:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-12 20:59 . 2008-04-13 20:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-12 20:58 . 2008-04-13 20:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-12 13:02 . 2007-02-03 11:49 1,689,136 --a------ C:\WINDOWS\system32\PenTablet.cpl
2008-05-12 13:01 . 2007-01-22 14:09 34,736 --a------ C:\WINDOWS\system32\drivers\wisdpen.sys
2008-05-12 13:00 . 2007-09-07 10:55 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-05-12 13:00 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2008-05-12 13:00 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-04 21:49 . 2008-05-04 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-05-04 11:30 . 2008-05-04 11:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-04 11:30 . 2008-05-04 11:30 2,541 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 20:08 1,488,555 --sh--w C:\WINDOWS\system32\dmmwcqcq.tmp
2008-05-27 20:08 --------- d-----w C:\Documents and Settings\boss\Application Data\Launchy
2008-05-27 17:37 --------- d-----w C:\Documents and Settings\boss\Application Data\OpenOffice.org2
2008-05-27 09:32 485,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 09:29 25,888 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-26 15:49 --------- d-----w C:\Documents and Settings\boss\Application Data\uTorrent
2008-05-26 14:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-13 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2008-05-13 02:12 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-05-13 02:06 2,317,312 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-05-13 02:06 2,195,968 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-13 01:27 --------- d-----w C:\Program Files\Windows Journal
2008-05-12 16:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-11 16:32 --------- d-----w C:\Documents and Settings\boss\Application Data\foobar2000
2008-05-04 15:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-04 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 13:42 --------- d-----w C:\Program Files\Picasa2
2008-05-03 13:03 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-05-03 13:03 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-04-22 07:42 --------- d-----w C:\Program Files\Unlocker
2008-04-17 19:44 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-17 19:43 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-04-17 18:34 --------- d-----w C:\Documents and Settings\boss\Application Data\dvdcss
2008-04-14 09:42 971,264 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
.

------- Sigcheck -------

2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 11:36 551424 f66f9f237e4a8fdf1965b352c2c22fb3 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-04-13 20:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\Super Turbo Tango Patcher\Backup\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\system32\user32.dll

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-01-08 04:20 2189312 ac8f71cbe1870d5d998bd7aa3d67ebe5 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2005-09-28 19:35 2015744 48472d224e1703882b4de0e28e205e9b C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 14:31 2195968 28aff3204eef4e6ef4c0da052a73d9c4 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-13 14:31 2023936 7f653a89f6e89e3ae0d49830eece35d4 C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntkrnlpa.exe
2008-05-12 22:06 2195968 bbe055e4a9a645c83e15ccdfcbbb7060 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2008-01-08 04:20 2309632 1c8fdf0bde8930188e029c0d1415bba2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2005-09-28 20:02 2136064 25c36dbc46e8eff2a811769a60715ac5 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 15:24 2317312 9c9fecac9d103522438c96871ed9cd80 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-13 15:24 2145280 40f8880122a030a7e9e1fedea833b33d C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntoskrnl.exe
2008-05-12 22:06 2317312 82e5635484b415aa6030042634c42c6b C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1006080 ab23f85fc5edccc32448f6051e9d17ec C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\Super Turbo Tango Patcher\Backup\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-27_12.41.42.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 16:28:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 20:00:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8B4AED6-F411-4453-B64C-6252834765CC}]
C:\WINDOWS\system32\qoMcdCUo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5BCB49F-4326-44E0-B966-9A68ED84A24D}]
C:\WINDOWS\system32\opnmJBsQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 15:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 14:27 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 18:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2005-11-09 23:47 192512 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2005-12-15 18:28 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2005-12-15 18:28 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 21:54 57344 C:\WINDOWS\system32\TOSDCR.exe]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 14:38 342272]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-01-17 20:20 258048]
"CrossMenu"="C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe" [2005-09-20 21:06 798720]
"TRot.exe"="c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2005-11-29 20:37 266240]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-29 00:43 126976]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2008-04-13 20:12 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 08:25 144784]
"88e7834c"="C:\WINDOWS\system32\qcqcwmmd.dll" [2008-05-27 12:49 116224]
"BM8bd4b0d0"="C:\WINDOWS\system32\xktmuarj.dll" [2008-05-27 12:46 126976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 20:38 39264]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [7/16/2007 9:25:20 PM 446464]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [1/4/2006 10:35:12 PM 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2008-04-13 20:11 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-22 01:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 07:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
TosBtNP.dll 2006-01-27 15:49 61440 C:\WINDOWS\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2008-04-13 20:12 32256 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TSigNP]
TSigNP.dll 2005-12-28 02:05 53248 C:\WINDOWS\system32\TSigNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 KR10I;KR10I;C:\WINDOWS\system32\drivers\KR10I.sys [2006-02-14 06:50]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 03:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 16:24]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 15:08]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-22 01:55]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-22 01:55]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2005-12-22 01:25]
R2 TabletServicePen;TabletServicePen;C:\WINDOWS\system32\Pen_Tablet.exe [2007-09-07 11:16]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 01:26]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys [2002-09-13 02:48]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-22 01:37]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2005-12-26 21:59]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WISDPen;Wacom Penabled MiniDriver;C:\WINDOWS\system32\DRIVERS\wisdpen.sys [2007-01-22 14:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
S3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2008-04-13 14:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 00:23:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-05-27 20:03:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 16:07:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\qcqcwmmd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-27 16:13:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 20:12:53
ComboFix2.txt 2008-05-27 16:43:29

Pre-Run: 58,677,563,392 bytes free
Post-Run: 58,657,157,120 bytes free

364 --- E O F --- 2008-05-23 17:40:20
--------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:17 PM, on 27/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\boss\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E8B4AED6-F411-4453-B64C-6252834765CC} - C:\WINDOWS\system32\qoMcdCUo.dll (file missing)
O2 - BHO: (no name) - {F5BCB49F-4326-44E0-B966-9A68ED84A24D} - C:\WINDOWS\system32\opnmJBsQ.dll (file missing)
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TRot.exe] c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [88e7834c] rundll32.exe "C:\WINDOWS\system32\qcqcwmmd.dll",b
O4 - HKLM\..\Run: [BM8bd4b0d0] Rundll32.exe "C:\WINDOWS\system32\xktmuarj.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199781481968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll
O20 - Winlogon Notify: TSigNP - C:\WINDOWS\SYSTEM32\TSigNP.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing)

--
End of file - 9237 bytes

Rorschach112 · May 27, 2008

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {E8B4AED6-F411-4453-B64C-6252834765CC} - C:\WINDOWS\system32\qoMcdCUo.dll (file missing)
O2 - BHO: (no name) - {F5BCB49F-4326-44E0-B966-9A68ED84A24D} - C:\WINDOWS\system32\opnmJBsQ.dll (file missing)
O4 - HKLM\..\Run: [88e7834c] rundll32.exe "C:\WINDOWS\system32\qcqcwmmd.dll",b
O4 - HKLM\..\Run: [BM8bd4b0d0] Rundll32.exe "C:\WINDOWS\system32\xktmuarj.dll",s

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\BM8bd4b0d0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dmmwcqcq.ini
C:\WINDOWS\system32\qcqcwmmd.dll
C:\WINDOWS\system32\xktmuarj.dll
C:\WINDOWS\system32\dmmwcqcq.tmp

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot and post a new HijackThis log and tell me how your PC is running

fujil · May 28, 2008

Malwarebytes' Anti-Malware 1.12
Database version: 793

Scan type: Quick Scan
Objects scanned: 38862
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qcqcwmmd.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM8bd4b0d0 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qcqcwmmd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dmmwcqcq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xktmuarj.dll (Trojan.Agent) -> Delete on reboot.

--------------------------------------------------

ComboFix 08-05-26.2 - boss 2008-05-27 23:52:44.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.559 [GMT -4:00]
Running from: C:\Documents and Settings\boss\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\boss\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM8bd4b0d0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dmmwcqcq.ini
C:\WINDOWS\system32\dmmwcqcq.tmp
C:\WINDOWS\system32\qcqcwmmd.dll
C:\WINDOWS\system32\xktmuarj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8bd4b0d0.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 23:42 . 2008-05-27 23:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 23:42 . 2008-05-27 23:42 <DIR> d-------- C:\Documents and Settings\boss\Application Data\Malwarebytes
2008-05-27 23:42 . 2008-05-27 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-27 23:42 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-27 23:42 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-27 12:06 . 2008-05-27 12:06 <DIR> d-------- C:\Gmail - Fall 2008 Registration -
2008-05-27 12:06 . 2008-05-27 12:06 134,371 --a------ C:\Gmail - Fall 2008 Registration -
2008-05-27 11:13 . 2008-05-27 11:13 <DIR> d-------- C:\how-to-use-combofix_files
2008-05-27 11:13 . 2008-05-27 11:13 46,667 --a------ C:\how-to-use-combofix.htm
2008-05-27 10:57 . 2008-05-27 10:57 <DIR> d-------- C:\WTablet
2008-05-27 10:55 . 2008-05-27 10:55 <DIR> d-------- C:\_OTMoveIt
2008-05-27 04:05 . 2008-05-27 04:05 99,070 --a------ C:\kasperskyreport.html
2008-05-27 01:28 . 2008-05-27 01:28 47,964 --a------ C:\mail.google.com.htm
2008-05-27 01:24 . 2008-05-27 01:24 10,996 --a------ C:\HJTInstall.exe
2008-05-27 01:19 . 2008-05-27 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 01:18 . 2008-05-27 01:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 10:36 . 2008-05-26 10:36 <DIR> d-------- C:\Program Files\ESET
2008-05-26 08:28 . 2008-05-26 08:28 <DIR> d-------- C:\TGTC_XP_4.0
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet
2008-05-26 08:19 . 2008-05-27 23:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-26 08:19 . 2008-05-27 23:50 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet
2008-05-26 08:12 . 2008-05-26 08:12 <DIR> d-------- C:\Program Files\ESET(2)
2008-05-26 06:48 . 2008-05-26 06:49 2,082,810 --a------ C:\TGTC_XP_4.0.zip
2008-05-26 05:59 . 2008-05-26 07:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(3)
2008-05-26 05:59 . 2008-05-26 08:17 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(3)
2008-05-26 05:52 . 2008-05-26 05:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(2)
2008-05-26 05:45 . 2008-05-26 05:59 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(2)
2008-05-26 05:45 . 2007-09-07 11:04 1,380,680 --a------ C:\WINDOWS\system32\PenTablet.znc
2008-05-26 05:29 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet(2)
2008-05-18 09:22 . 2008-05-18 09:49 <DIR> d-------- C:\CUSTOMIZATION
2008-05-12 22:21 . 2007-09-07 11:16 1,373,480 --a------ C:\WINDOWS\system32\Pen_Tablet.exe
2008-05-12 22:21 . 2007-09-07 11:09 128,296 --a------ C:\WINDOWS\system32\Pen_Tablet.dll
2008-05-12 22:12 . 2008-04-13 20:12 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-12 21:22 . 2008-05-12 21:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-12 20:59 . 2008-04-13 20:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-12 20:58 . 2008-04-13 20:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-12 13:02 . 2007-02-03 11:49 1,689,136 --a------ C:\WINDOWS\system32\PenTablet.cpl
2008-05-12 13:01 . 2007-01-22 14:09 34,736 --a------ C:\WINDOWS\system32\drivers\wisdpen.sys
2008-05-12 13:00 . 2007-09-07 10:55 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-05-12 13:00 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2008-05-12 13:00 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-04 21:49 . 2008-05-04 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-05-04 11:30 . 2008-05-04 11:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-04 11:30 . 2008-05-04 11:30 2,541 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 04:12 --------- d-----w C:\Documents and Settings\boss\Application Data\Launchy
2008-05-27 17:37 --------- d-----w C:\Documents and Settings\boss\Application Data\OpenOffice.org2
2008-05-27 09:32 485,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 09:29 25,888 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-26 15:49 --------- d-----w C:\Documents and Settings\boss\Application Data\uTorrent
2008-05-26 14:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-13 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2008-05-13 02:12 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-05-13 02:06 2,317,312 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-05-13 02:06 2,195,968 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-13 01:27 --------- d-----w C:\Program Files\Windows Journal
2008-05-12 16:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-11 16:32 --------- d-----w C:\Documents and Settings\boss\Application Data\foobar2000
2008-05-04 15:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-04 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 13:42 --------- d-----w C:\Program Files\Picasa2
2008-05-03 13:03 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-05-03 13:03 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-04-22 07:42 --------- d-----w C:\Program Files\Unlocker
2008-04-17 19:44 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-17 19:43 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-04-17 18:34 --------- d-----w C:\Documents and Settings\boss\Application Data\dvdcss
2008-04-14 09:42 971,264 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
.

------- Sigcheck -------

2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 11:36 551424 f66f9f237e4a8fdf1965b352c2c22fb3 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-04-13 20:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\Super Turbo Tango Patcher\Backup\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\system32\user32.dll

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-01-08 04:20 2189312 ac8f71cbe1870d5d998bd7aa3d67ebe5 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2005-09-28 19:35 2015744 48472d224e1703882b4de0e28e205e9b C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 14:31 2195968 28aff3204eef4e6ef4c0da052a73d9c4 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-13 14:31 2023936 7f653a89f6e89e3ae0d49830eece35d4 C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntkrnlpa.exe
2008-05-12 22:06 2195968 bbe055e4a9a645c83e15ccdfcbbb7060 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2008-01-08 04:20 2309632 1c8fdf0bde8930188e029c0d1415bba2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2005-09-28 20:02 2136064 25c36dbc46e8eff2a811769a60715ac5 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 15:24 2317312 9c9fecac9d103522438c96871ed9cd80 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-13 15:24 2145280 40f8880122a030a7e9e1fedea833b33d C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntoskrnl.exe
2008-05-12 22:06 2317312 82e5635484b415aa6030042634c42c6b C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1006080 ab23f85fc5edccc32448f6051e9d17ec C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\Super Turbo Tango Patcher\Backup\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-27_12.41.42.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 16:28:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 03:50:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 15:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 14:27 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 18:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2005-11-09 23:47 192512 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2005-12-15 18:28 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2005-12-15 18:28 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 21:54 57344 C:\WINDOWS\system32\TOSDCR.exe]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 14:38 342272]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-01-17 20:20 258048]
"CrossMenu"="C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe" [2005-09-20 21:06 798720]
"TRot.exe"="c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2005-11-29 20:37 266240]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-29 00:43 126976]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2008-04-13 20:12 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 08:25 144784]
"BM8bd4b0d0"="C:\WINDOWS\system32\xktmuarj.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 20:38 39264]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [7/16/2007 9:25:20 PM 446464]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [1/4/2006 10:35:12 PM 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2008-04-13 20:11 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-22 01:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 07:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
TosBtNP.dll 2006-01-27 15:49 61440 C:\WINDOWS\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2008-04-13 20:12 32256 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TSigNP]
TSigNP.dll 2005-12-28 02:05 53248 C:\WINDOWS\system32\TSigNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 KR10I;KR10I;C:\WINDOWS\system32\drivers\KR10I.sys [2006-02-14 06:50]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 03:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 16:24]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 15:08]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-22 01:55]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-22 01:55]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2005-12-22 01:25]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 01:26]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys [2002-09-13 02:48]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-22 01:37]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2005-12-26 21:59]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WISDPen;Wacom Penabled MiniDriver;C:\WINDOWS\system32\DRIVERS\wisdpen.sys [2007-01-22 14:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
S3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2008-04-13 14:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 00:23:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-05-28 03:53:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 00:16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 0:34:55
ComboFix-quarantined-files.txt 2008-05-28 04:34:11
ComboFix2.txt 2008-05-27 20:13:49
ComboFix3.txt 2008-05-27 16:43:29

Pre-Run: 58,625,241,088 bytes free
Post-Run: 58,611,613,696 bytes free

320 --- E O F --- 2008-05-23 17:40:20
-----------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:44 AM, on 28/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\boss\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TRot.exe] c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM8bd4b0d0] Rundll32.exe "C:\WINDOWS\system32\xktmuarj.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199781481968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll
O20 - Winlogon Notify: TSigNP - C:\WINDOWS\SYSTEM32\TSigNP.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing)

--
End of file - 8867 bytes
-----------------------------------------------

I get this error when I restarted my PC after combofix.

---------------------------
RUNDLL
---------------------------
Error loading C:\WINDOWS\system32\xktmuarj.dll

The specified module could not be found.

---------------------------
OK
---------------------------

It seems like nothing is popping up in firefox now though.

Rorschach112 · May 28, 2008

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [BM8bd4b0d0] Rundll32.exe "C:\WINDOWS\system32\xktmuarj.dll",s

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\logiflt.iad

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot and post a new HijackThis log

fujil · May 28, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:11 PM, on 28/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Documents and Settings\boss\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TRot.exe] c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199781481968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll
O20 - Winlogon Notify: TSigNP - C:\WINDOWS\SYSTEM32\TSigNP.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (file missing)

--
End of file - 8634 bytes
---------------------------------------------------
ComboFix 08-05-26.2 - boss 2008-05-28 12:50:55.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.538 [GMT -4:00]
Running from: C:\Documents and Settings\boss\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\boss\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\logiflt.iad
C:\WINDOWS\system32\drivers\lvuvc.hs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\logiflt.iad
C:\WINDOWS\system32\drivers\lvuvc.hs

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 23:42 . 2008-05-27 23:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 23:42 . 2008-05-27 23:42 <DIR> d-------- C:\Documents and Settings\boss\Application Data\Malwarebytes
2008-05-27 23:42 . 2008-05-27 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-27 23:42 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-27 23:42 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-27 12:06 . 2008-05-27 12:06 <DIR> d-------- C:\Gmail - Fall 2008 Registration - paper.cranes@gmail.com_files
2008-05-27 12:06 . 2008-05-27 12:06 134,371 --a------ C:\Gmail - Fall 2008 Registration - paper.cranes@gmail.com.htm
2008-05-27 11:13 . 2008-05-28 01:54 <DIR> d-------- C:\how-to-use-combofix_files
2008-05-27 11:13 . 2008-05-27 11:13 46,667 --a------ C:\how-to-use-combofix.htm
2008-05-27 10:57 . 2008-05-27 10:57 <DIR> d-------- C:\WTablet
2008-05-27 10:55 . 2008-05-27 10:55 <DIR> d-------- C:\_OTMoveIt
2008-05-27 04:05 . 2008-05-27 04:05 99,070 --a------ C:\kasperskyreport.html
2008-05-27 01:28 . 2008-05-27 01:28 47,964 --a------ C:\mail.google.com.htm
2008-05-27 01:24 . 2008-05-27 01:24 10,996 --a------ C:\HJTInstall.exe
2008-05-26 08:28 . 2008-05-26 08:28 <DIR> d-------- C:\TGTC_XP_4.0
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-05-26 08:19 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet
2008-05-26 08:19 . 2008-05-28 00:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-26 08:19 . 2008-05-28 00:43 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet
2008-05-26 08:12 . 2008-05-26 08:12 <DIR> d-------- C:\Program Files\ESET(2)
2008-05-26 06:48 . 2008-05-26 06:49 2,082,810 --a------ C:\TGTC_XP_4.0.zip
2008-05-26 05:59 . 2008-05-26 07:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(3)
2008-05-26 05:59 . 2008-05-26 08:17 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(3)
2008-05-26 05:52 . 2008-05-26 05:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet(2)
2008-05-26 05:45 . 2008-05-26 05:59 <DIR> d-------- C:\Documents and Settings\boss\Application Data\WTablet(2)
2008-05-26 05:45 . 2007-09-07 11:04 1,380,680 --a------ C:\WINDOWS\system32\PenTablet.znc
2008-05-26 05:29 . 2008-05-26 08:19 <DIR> d-------- C:\Program Files\Tablet(2)
2008-05-24 13:39 . 2008-05-25 06:24 367,901,358 --a------ C:\Desperate.Housewives.S04E11.HDTV.XviD-0TV.avi
2008-05-24 10:47 . 2008-05-24 23:29 367,693,836 --a------ C:\Desperate.Housewives.S04E14.HDTV.XviD-2HD.avi
2008-05-24 10:46 . 2008-05-25 03:28 367,851,948 --a------ C:\Desperate.Housewives.S04E13.HDTV.XviD-0TV.avi
2008-05-24 10:44 . 2008-05-25 05:39 367,846,542 --a------ C:\Desperate.Housewives.S04E12.HDTV.XViD-DOT.avi
2008-05-24 10:43 . 2008-05-24 23:35 367,647,842 --a------ C:\Desperate.Housewives.S04E15.HDTV.XviD-0TV.avi
2008-05-24 10:42 . 2008-05-26 04:53 736,599,658 --a------ C:\Desperate.Housewives.S04E16-E17.HDTV.XViD-DOT.avi
2008-05-24 09:19 . 2008-05-24 09:19 414,029 --------- C:\DSC05284.JPG
2008-05-24 09:19 . 2008-05-24 09:19 408,699 --------- C:\DSC05285.JPG
2008-05-20 18:35 . 2008-05-21 03:59 367,445,508 --a------ C:\Gossip.Girl.S01E18.HDTV.XviD-2HD.[VTV].avi
2008-05-18 09:22 . 2008-05-28 05:40 <DIR> d-------- C:\CUSTOMIZATION
2008-05-12 22:21 . 2007-09-07 11:16 1,373,480 --a------ C:\WINDOWS\system32\Pen_Tablet.exe
2008-05-12 22:21 . 2007-09-07 11:09 128,296 --a------ C:\WINDOWS\system32\Pen_Tablet.dll
2008-05-12 22:12 . 2008-04-13 20:12 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-12 21:26 . 2008-05-12 21:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-12 21:22 . 2008-05-12 21:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-12 20:59 . 2008-04-13 20:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-05-12 20:58 . 2008-04-13 20:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-05-12 13:02 . 2007-02-03 11:49 1,689,136 --a------ C:\WINDOWS\system32\PenTablet.cpl
2008-05-12 13:01 . 2007-01-22 14:09 34,736 --a------ C:\WINDOWS\system32\drivers\wisdpen.sys
2008-05-12 13:00 . 2007-09-07 10:55 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-05-12 13:00 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2008-05-12 13:00 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-07 11:23 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-04 21:49 . 2008-05-04 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-04 12:41 . 2008-05-04 12:41 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-05-04 11:30 . 2008-05-04 11:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-04 11:30 . 2008-05-04 11:30 2,541 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 16:59 --------- d-----w C:\Documents and Settings\boss\Application Data\Launchy
2008-05-28 16:47 --------- d-----w C:\Documents and Settings\boss\Application Data\uTorrent
2008-05-28 09:51 --------- d-----w C:\Documents and Settings\boss\Application Data\foobar2000
2008-05-28 09:49 --------- d-----w C:\Program Files\foobar2000
2008-05-27 17:37 --------- d-----w C:\Documents and Settings\boss\Application Data\OpenOffice.org2
2008-05-27 09:32 485,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 09:29 25,888 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-26 14:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-13 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2008-05-13 02:12 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-05-13 02:06 2,317,312 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-05-13 02:06 2,195,968 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-13 01:27 --------- d-----w C:\Program Files\Windows Journal
2008-05-12 16:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-04 15:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-04 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 13:42 --------- d-----w C:\Program Files\Picasa2
2008-04-22 07:42 --------- d-----w C:\Program Files\Unlocker
2008-04-17 19:44 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-17 19:43 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-04-17 18:34 --------- d-----w C:\Documents and Settings\boss\Application Data\dvdcss
2008-04-14 09:42 971,264 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
.

------- Sigcheck -------

2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 11:36 551424 f66f9f237e4a8fdf1965b352c2c22fb3 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-04-13 20:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\Super Turbo Tango Patcher\Backup\user32.dll
2008-04-13 20:12 552448 8187910d23822779d22f733a2c353d6c C:\WINDOWS\system32\user32.dll

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2008-01-08 04:20 2189312 ac8f71cbe1870d5d998bd7aa3d67ebe5 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2005-09-28 19:35 2015744 48472d224e1703882b4de0e28e205e9b C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 14:31 2195968 28aff3204eef4e6ef4c0da052a73d9c4 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-13 14:31 2023936 7f653a89f6e89e3ae0d49830eece35d4 C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntkrnlpa.exe
2008-05-12 22:06 2195968 bbe055e4a9a645c83e15ccdfcbbb7060 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2008-01-08 04:20 2309632 1c8fdf0bde8930188e029c0d1415bba2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2005-09-28 20:02 2136064 25c36dbc46e8eff2a811769a60715ac5 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 15:24 2317312 9c9fecac9d103522438c96871ed9cd80 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-13 15:24 2145280 40f8880122a030a7e9e1fedea833b33d C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntoskrnl.exe
2008-05-12 22:06 2317312 82e5635484b415aa6030042634c42c6b C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1006080 ab23f85fc5edccc32448f6051e9d17ec C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1006592 8116628586b8352d8e8f1dc9a10de4cb C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 C:\WINDOWS\Super Turbo Tango Patcher\Backup\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-27_12.41.42.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 16:28:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 04:43:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 15:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 14:27 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-24 00:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 18:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2005-11-09 23:47 192512 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2005-12-15 18:28 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2005-12-15 18:28 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TOSDCR"="TOSDCR.EXE" [2005-12-12 21:54 57344 C:\WINDOWS\system32\TOSDCR.exe]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 14:38 342272]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-01-17 20:20 258048]
"CrossMenu"="C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe" [2005-09-20 21:06 798720]
"TRot.exe"="c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2005-11-29 20:37 266240]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-29 00:43 126976]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2008-04-13 20:12 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 08:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 20:38 39264]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [7/16/2007 9:25:20 PM 446464]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [1/4/2006 10:35:12 PM 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2008-04-13 20:11 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-22 01:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 07:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
TosBtNP.dll 2006-01-27 15:49 61440 C:\WINDOWS\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2008-04-13 20:12 32256 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TSigNP]
TSigNP.dll 2005-12-28 02:05 53248 C:\WINDOWS\system32\TSigNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 KR10I;KR10I;C:\WINDOWS\system32\drivers\KR10I.sys [2006-02-14 06:50]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-28 03:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 16:24]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 15:08]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-22 01:55]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-22 01:55]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2005-12-22 01:25]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 01:26]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys [2002-09-13 02:48]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-22 01:37]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2005-12-26 21:59]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WISDPen;Wacom Penabled MiniDriver;C:\WINDOWS\system32\DRIVERS\wisdpen.sys [2007-01-22 14:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
S3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2008-04-13 14:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 00:23:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-05-28 06:17:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 13:06:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 13:18:44
ComboFix-quarantined-files.txt 2008-05-28 17:18:11
ComboFix2.txt 2008-05-28 04:35:08
ComboFix3.txt 2008-05-27 20:13:49
ComboFix4.txt 2008-05-27 16:43:29

Pre-Run: 54,806,777,856 bytes free
Post-Run: 54,793,564,160 bytes free

324 --- E O F --- 2008-05-23 17:40:20
------------------------------------------------

The error prompt is gone. Everything seem to be running okay. If all looks good to you, thank you so much for all your help!

Rorschach112 · May 28, 2008

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time protection program or there will be a conflict.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

fujil · May 28, 2008

Thank you so much for all your help, it's greatly appreciated! Have a lovely day.

Rorschach112 · May 28, 2008

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Infected with Virtumonde and probably others, please help

fujil

New member

Rorschach112

Retired Security Volunteer

fujil

New member

Rorschach112

Retired Security Volunteer

fujil

New member

Rorschach112

Retired Security Volunteer

fujil

New member

Rorschach112

Retired Security Volunteer

fujil

New member

Rorschach112

Retired Security Volunteer

fujil

New member

Rorschach112

Retired Security Volunteer

fujil

New member

Rorschach112

Retired Security Volunteer