No internet no antivirus ...

combofix and drweb

ComboFix 08-04-24.1 - R 2008-04-30 0:59:28.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1256.963.1033.18.1150 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\R\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\system32\mdelk.exe
D:\nideiect.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\ban_list.txt
C:\Windows\system32\drivers\downld
C:\Windows\system32\drivers\downld\142038.exe
C:\Windows\system32\drivers\downld\166967.exe
C:\Windows\system32\drivers\downld\185500.exe
C:\Windows\system32\drivers\downld\188652.exe
C:\Windows\system32\drivers\downld\193612.exe
C:\Windows\system32\drivers\downld\196935.exe
C:\Windows\system32\drivers\downld\197856.exe
C:\Windows\system32\drivers\downld\203846.exe
C:\Windows\system32\drivers\downld\209431.exe
C:\Windows\system32\drivers\downld\214750.exe
C:\Windows\system32\drivers\downld\235811.exe
C:\Windows\system32\drivers\downld\243720.exe
C:\Windows\system32\drivers\downld\247667.exe
C:\Windows\system32\drivers\downld\254843.exe
C:\Windows\system32\drivers\downld\296074.exe
C:\Windows\system32\drivers\downld\306042.exe
C:\Windows\system32\drivers\downld\311268.exe
C:\Windows\system32\drivers\downld\325449.exe
C:\Windows\system32\drivers\downld\337726.exe
C:\Windows\system32\drivers\downld\343202.exe
C:\Windows\system32\drivers\downld\356446.exe
C:\Windows\system32\drivers\downld\368739.exe
C:\Windows\system32\drivers\downld\380221.exe
C:\Windows\system32\drivers\downld\395821.exe
C:\Windows\system32\drivers\downld\406101.exe
C:\Windows\system32\drivers\downld\408285.exe
C:\Windows\system32\drivers\downld\410532.exe
C:\Windows\system32\drivers\downld\412794.exe
C:\Windows\system32\drivers\downld\4237876.exe
C:\Windows\system32\drivers\downld\4240559.exe
C:\Windows\system32\drivers\downld\4242103.exe
C:\Windows\system32\drivers\downld\430172.exe
C:\Windows\system32\drivers\downld\434883.exe
C:\Windows\system32\drivers\downld\443604.exe
C:\Windows\system32\drivers\downld\483681.exe
C:\Windows\system32\drivers\downld\514007.exe
C:\Windows\system32\drivers\downld\527564.exe
C:\Windows\system32\drivers\downld\534428.exe
C:\Windows\system32\drivers\downld\534802.exe
C:\Windows\system32\drivers\downld\547610.exe
C:\Windows\system32\drivers\downld\777430.exe
C:\Windows\system32\drivers\downld\782017.exe
C:\Windows\system32\drivers\hldrrr.exe
C:\Windows\system32\drivers\mdelk.exe
C:\Windows\system32\drivers\srosa.sys
C:\Windows\system32\mdelk.exe
C:\Windows\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 22:29 --------- d-----w C:\Program Files\ChrisTV PVR
2008-04-29 21:43 --------- d-----w C:\Program Files\DScaler
2008-04-29 21:37 --------- d-----w C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:37 --------- d-----w C:\ProgramData\River Past G5
2008-04-29 21:32 161,140 ----a-w C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 21:32 --------- d-----w C:\Program Files\River Past
2008-04-29 21:32 --------- d-----w C:\Program Files\Common Files\River Past
2008-04-29 21:12 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 21:11 --------- d-----w C:\Program Files\DVDVideoSoft
2008-04-29 19:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 19:20 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 19:20 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-29 19:20 --------- d-----w C:\ProgramData\FLEXnet
2008-04-29 19:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-29 19:20 --------- d-----w C:\Program Files\My Ebook Library
2008-04-29 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-04-29 19:20 --------- d-----w C:\Program Files\AVerMedia
2008-04-28 19:39 --------- d-----w C:\Program Files\QuickMediaConverter
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2008-03-19 11:27 --------- d-----w C:\Users\R\AppData\Roaming\Bytescout SWF To Video Scout
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\k ----



------- Sigcheck -------

2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\System32\drivers\tcpip.sys
2006-11-02 10:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-09 12:53 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys
2008-01-09 12:53 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
2008-02-13 18:13 806400 52a8bd6294f7d1443c6184c67ae13af4 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-04-27_22.17.51,16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 20:02:58 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-29 23:08:25 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-29 18:55:34 57,344 ----a-r C:\Windows\Installer\{799A3CB8-DCD5-4B48-ACAD-4D5FABCC7B21}\ARPPRODUCTICON.exe
- 2008-04-27 20:01:43 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-04-29 23:07:07 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-27 20:03:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-27 20:03:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-27 20:04:47 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-29 23:20:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-27 20:04:54 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-29 23:20:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-29 23:20:38 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-27 20:05:14 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-27 20:05:14 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 19:27:04 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-27 20:05:14 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-26 15:23:25 122,410 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-29 21:07:03 122,410 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-26 15:23:25 659,754 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-29 21:07:03 659,754 ----a-w C:\Windows\System32\perfh009.dat
- 2006-11-17 12:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
+ 2006-11-17 05:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
- 2007-03-16 02:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
+ 2007-03-15 19:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
+ 2004-09-23 05:01:00 638,976 ---ha-w C:\Windows\System32\TOSCDSPD.EXE
- 2008-04-27 20:05:10 13,262 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-04-29 19:25:10 13,646 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-27 20:05:09 111,066 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-29 19:25:09 111,978 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-27 20:01:41 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-04-28 21:57:17 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-04-27 20:05:07 70,092 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-29 19:25:07 70,494 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-16 08:27:44 415,072 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-28 01:12:37 417,276 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" [2004-09-23 07:01 638976 C:\Windows\System32\TOSCDSPD.EXE]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-30 01:03 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-30 01:03 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2008-04-29 20:55:51 618496]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 02:15]
S2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]
\shell\AutoRun\command - F:\Autorun.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-29 23:40:04 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 01:32:41
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 4

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\Crypserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\conime.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehrecvr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-04-30 1:40:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 23:40:28
ComboFix2.txt 2008-04-27 20:18:34
ComboFix3.txt 2008-04-26 17:45:39
ComboFix4.txt 2008-04-26 13:15:48

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

390 --- E O F --- 2008-04-24 16:46:15

DrWeb.csv
MGtools.exe;C:\;Adware.Borlander.231;;
_SetupPoker.exe;C:\Poker\CDPoker;Adware.Casino.49;;
process.exe;C:\Program Files\myphotobook\xtras;Tool.Prockill;;
188652.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
209431.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
4240559.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
430172.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
PSEXESVC.EXE;C:\Windows;Program.PsExec.170;;
SetupPoker.exe;E:\download\Poker\Online;Adware.Casino.49;;
viewer.exe;E:\download\Virtual Network\vnc;Program.RemoteAdmin;;
MGtools.exe;E:\rescue;Adware.Borlander.231;;
 
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
F:\Autorun.exe

SysRst::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]

Driver::
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Let me know if you can do these scans


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Click here to use the F-Secure Online Scanner
  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.
 
Hi
the scaners work for me but they take time to do the full system scan, I will post the reports as soon as possible.

Here is combofix log

ComboFix 08-04-24.1 - R 2008-05-01 13:44:54.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1256.963.1033.18.1143 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\R\Desktop\CFScript.txt
* Created a new restore point

FILE ::
F:\Autorun.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 23:53 --------- d-----w C:\Program Files\boost
2008-04-30 23:36 --------- d-----w C:\Program Files\ChrisTV PVR
2008-04-29 23:49 --------- d-----w C:\Program Files\DScaler
2008-04-29 21:37 --------- d-----w C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:37 --------- d-----w C:\ProgramData\River Past G5
2008-04-29 21:32 161,140 ----a-w C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 21:32 --------- d-----w C:\Program Files\River Past
2008-04-29 21:32 --------- d-----w C:\Program Files\Common Files\River Past
2008-04-29 21:12 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 21:11 --------- d-----w C:\Program Files\DVDVideoSoft
2008-04-29 19:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 19:20 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 19:20 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-29 19:20 --------- d-----w C:\ProgramData\FLEXnet
2008-04-29 19:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-29 19:20 --------- d-----w C:\Program Files\My Ebook Library
2008-04-29 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-04-29 19:20 --------- d-----w C:\Program Files\AVerMedia
2008-04-28 19:39 --------- d-----w C:\Program Files\QuickMediaConverter
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\System32\drivers\tcpip.sys
2006-11-02 10:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-09 12:53 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys
2008-01-09 12:53 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
2008-02-13 18:13 806400 52a8bd6294f7d1443c6184c67ae13af4 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-04-30_ 1.40.02.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 23:08:25 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-01 10:33:15 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-29 23:07:07 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-05-01 04:16:17 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-29 23:20:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-01 10:39:46 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-29 23:20:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-01 10:39:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-01 10:33:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-29 19:27:04 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 10:33:22 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-01 10:33:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-29 19:25:10 13,646 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-05-01 10:40:33 13,798 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-29 19:25:09 111,978 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:32 112,304 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-28 21:57:17 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-05-01 04:16:13 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-04-29 19:25:07 70,494 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:30 70,706 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-28 01:12:37 417,276 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-30 19:34:39 419,558 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" [2004-09-23 07:01 638976 C:\Windows\System32\TOSCDSPD.EXE]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-30 01:03 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-30 01:03 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2008-04-29 20:55:51 618496]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 02:15]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-05-01 11:50:10 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 13:49:24
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 4

**************************************************************************
.
Completion time: 2008-05-01 13:53:06
ComboFix-quarantined-files.txt 2008-05-01 11:52:27
ComboFix2.txt 2008-04-29 23:40:36
ComboFix3.txt 2008-04-27 20:18:34
ComboFix4.txt 2008-04-26 17:45:39
ComboFix5.txt 2008-04-26 13:15:48

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

288 --- E O F --- 2008-04-24 16:46:15
 
It is worth it

Can you run this scan after Kaspersky


Click here to use the F-Secure Online Scanner
  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.
 
Kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 01, 2008 11:09:21 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 734019
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 290524
Number of viruses found: 9
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 08:32:47

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080429214531\backup\Users\R\AppData\Local\Temp\FD3.tmp/data0005 Infected: not-a-virus:AdWare.Win32.BHO.ya skipped
C:\Deckard\System Scanner\20080429214531\backup\Users\R\AppData\Local\Temp\FD3.tmp NSIS: infected - 1 skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_191.trc Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\51f7e9db8cfb930fc0966fba351a8b83_b49eb2c3-5962-4fc7-96ae-fddc52592233 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fed42419e485e6ba3bdb56159f33a896_b49eb2c3-5962-4fc7-96ae-fddc52592233 Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010021.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy21.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5A9E.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5A9F.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\80C3DCE9.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\A8FE730D.TMP Object is locked skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\166967.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\196935.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\214750.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\306042.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\412794.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\4242103.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/srosa.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/wintems.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/mdelk.exe.1 Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip ZIP: infected - 5 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\XUL.mfl Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Working\database_10BE_6378_BE63_54EE\dfsr.db Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Working\database_10BE_6378_BE63_54EE\fsrtmp.log Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Working\database_10BE_6378_BE63_54EE\tmp.edb Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008050120080502\index.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat{183412de-2945-11dc-8b50-0016d4fad5f8}.TM.blf Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat{183412de-2945-11dc-8b50-0016d4fad5f8}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat{183412de-2945-11dc-8b50-0016d4fad5f8}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows Live Contacts\ramiko82@hotmail.com\real\members.stg Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows Live Contacts\ramiko82@hotmail.com\shadow\members.stg Object is locked skipped
C:\Users\R\AppData\Local\Temp\flaFEA6.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\IMGDCE1.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFD979.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFD9A6.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFF01B.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFF020.tmp Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\blogdrafts.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\cert8.db Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\feedcontent.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\flock-data.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\history.dat Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\key3.db Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\log.txt Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\parent.lock Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\search.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\webdetective.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Users\R\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\R\ntuser.dat Object is locked skipped
C:\Users\R\ntuser.dat.LOG1 Object is locked skipped
C:\Users\R\ntuser.dat.LOG2 Object is locked skipped
C:\Users\R\ntuser.dat{73b339e6-93c5-11dc-8a86-0016d4fad5f8}.TM.blf Object is locked skipped
C:\Users\R\ntuser.dat{73b339e6-93c5-11dc-8a86-0016d4fad5f8}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\R\ntuser.dat{73b339e6-93c5-11dc-8a86-0016d4fad5f8}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ehmsdri.log Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ehRecvr.log Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\Ikeext.etl Object is locked skipped
C:\Windows\System32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\TOSCDSPD.EXE Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\tracing\BAP.LOG Object is locked skipped
C:\Windows\tracing\IpHlpSvc.LOG Object is locked skipped
C:\Windows\tracing\kerberos\FRANCIS_kerberos_1_6_0_6000_0_0__300_6_0_6000_16386__vista_rtm_061101_2205_.etl Object is locked skipped
C:\Windows\tracing\KMDDSP.LOG Object is locked skipped
C:\Windows\tracing\NDPTSP.LOG Object is locked skipped
C:\Windows\tracing\PPP.LOG Object is locked skipped
C:\Windows\tracing\RASAPI32.LOG Object is locked skipped
C:\Windows\tracing\RASBACP.LOG Object is locked skipped
C:\Windows\tracing\RASCCP.LOG Object is locked skipped
C:\Windows\tracing\RASDLG.LOG Object is locked skipped
C:\Windows\tracing\RASEAP.LOG Object is locked skipped
C:\Windows\tracing\RASIPCP.LOG Object is locked skipped
C:\Windows\tracing\RASIPHLP.LOG Object is locked skipped
C:\Windows\tracing\RASIPV6CP.LOG Object is locked skipped
C:\Windows\tracing\RASMAN.LOG Object is locked skipped
C:\Windows\tracing\RASPAP.LOG Object is locked skipped
C:\Windows\tracing\RASQEC.LOG Object is locked skipped
C:\Windows\tracing\RASTAPI.LOG Object is locked skipped
C:\Windows\tracing\svchost_RASCHAP.LOG Object is locked skipped
C:\Windows\tracing\svchost_RASTLS.LOG Object is locked skipped
C:\Windows\tracing\tapi32.LOG Object is locked skipped
C:\Windows\tracing\tapisrv.LOG Object is locked skipped
E:\download\PDF\pwdremover.exe/file01 Infected: not-a-virus:PSWTool.Win32.PdfCracker.c skipped
E:\download\PDF\pwdremover.exe Inno: infected - 1 skipped
E:\download\Schedule\dshutdown.zip/DShutdown/DShutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.h skipped
E:\download\Schedule\dshutdown.zip ZIP: infected - 1 skipped
E:\download\usb\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.a skipped
E:\download\Virtual Network\vnc\vnc-E4_1_6-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.414 skipped
E:\download\Virtual Network\vnc\vnc-E4_1_6-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.414 skipped
E:\download\Virtual Network\vnc\vnc-E4_1_6-x86_win32.exe Inno: infected - 2 skipped
E:\recorded tv\TempRec\TempSBE\MSDVRMM_2456189272_458752_10251 Object is locked skipped
E:\recorded tv\TempRec\TempSBE\MSDVRMM_2456189272_917504_10246 Object is locked skipped
E:\recorded tv\TempRec\TempSBE\SBE2E11.tmp Object is locked skipped
E:\recorded tv\TempRec\TempSBE\SBE30E0.tmp Object is locked skipped
E:\recorded tv\TempRec\{1138983E-D83B-4A98-AE37-D9B7054A25A9}.TmpSBE Object is locked skipped
E:\recorded tv\TempRec\{456AC601-B6CD-47CD-9086-816896749508}.TmpSBE Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
F-Secure

Result: 3 malware found
Tracking Cookie (spyware)

* System

Trojan-Downloader.Win32.Bagle (virus)

* System

Trojan-Downloader.Win32.Bagle.nu (virus)

* C:\WINDOWS\SYSTEM32\TOSCDSPD.EXE

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\51F7E9DB8CFB930FC0966FBA351A8B83_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FED42419E485E6BA3BDB56159F33A896_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\51F7E9DB8CFB930FC0966FBA351A8B83_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FED42419E485E6BA3BDB56159F33A896_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* E:\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2456189272_458752_10251
* E:\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2456189272_917504_10246
 
Well good news is that we found the file dropper

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\System32\TOSCDSPD.EXE
E:\download\PDF\pwdremover.exe

Folder::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"=-

Driver::
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Then reboot and run the F-Secure Online Scan again and post a new HijackThis log, and the ComboFix log
 
Hi
F-Secure didn't find anything
I can't run HijackThis

ComboFix 08-04-24.1 - R 2008-05-02 14:18:18.6 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1256.963.1033.18.1154 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\R\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\System32\TOSCDSPD.EXE
E:\download\PDF\pwdremover.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\download\PDF\pwdremover.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 12:15 --------- d-----w C:\Program Files\ChrisTV PVR
2008-05-02 12:13 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-05-02 12:12 --------- d-----w C:\Program Files\AVerMedia
2008-04-30 23:53 --------- d-----w C:\Program Files\boost
2008-04-29 23:49 --------- d-----w C:\Program Files\DScaler
2008-04-29 21:37 --------- d-----w C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:37 --------- d-----w C:\ProgramData\River Past G5
2008-04-29 21:32 161,140 ----a-w C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 21:32 --------- d-----w C:\Program Files\River Past
2008-04-29 21:32 --------- d-----w C:\Program Files\Common Files\River Past
2008-04-29 21:12 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 21:11 --------- d-----w C:\Program Files\DVDVideoSoft
2008-04-29 19:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 19:20 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 19:20 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-29 19:20 --------- d-----w C:\ProgramData\FLEXnet
2008-04-29 19:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-29 19:20 --------- d-----w C:\Program Files\My Ebook Library
2008-04-29 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-28 19:39 --------- d-----w C:\Program Files\QuickMediaConverter
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\System32\drivers\tcpip.sys
2006-11-02 10:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-09 12:53 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys
2008-01-09 12:53 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
2008-02-13 18:13 806400 52a8bd6294f7d1443c6184c67ae13af4 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-04-30_ 1.40.02.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 23:08:25 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-01 10:33:15 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-02-27 13:59:28 290,816 ----a-w C:\Windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 13:59:28 495,616 ----a-w C:\Windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 14:00:12 262,144 ----a-w C:\Windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 13:59:16 588,392 ----a-w C:\Windows\Downloaded Program Files\gatelauncher.exe
+ 2008-05-02 12:13:22 3,638 ----a-r C:\Windows\Installer\{FC87BEA8-5582-476C-A754-41F3A9D976D4}\ARPPRODUCTICON.exe
- 2008-04-29 23:07:07 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-05-01 04:16:17 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-29 23:20:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-01 10:39:46 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-29 23:20:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-01 10:39:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-02 11:45:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-29 19:27:04 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-02 11:45:22 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-02 11:45:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-17 05:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
+ 2006-11-17 12:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
- 2007-03-15 19:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
+ 2007-03-16 02:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
- 2008-04-29 19:25:10 13,646 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-05-01 10:40:33 13,798 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-29 19:25:09 111,978 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:32 112,304 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-28 21:57:17 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-05-01 04:16:13 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-04-29 19:25:07 70,494 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:30 70,706 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-28 01:12:37 417,276 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-30 19:34:39 419,558 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-30 01:03 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-30 01:03 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2008-05-02 14:13:41 618496]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 09:15]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]
\shell\AutoRun\command - F:\Autorun.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-05-02 12:25:28 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 14:23:12
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\R\AppData\Local\Temp\~DF22F2.tmp 16384 bytes
C:\Users\R\AppData\Local\Temp\~DF2319.tmp 512 bytes

scan completed successfully
hidden files: 6

**************************************************************************
.
Completion time: 2008-05-02 14:27:15
ComboFix-quarantined-files.txt 2008-05-02 12:26:40
ComboFix2.txt 2008-05-01 11:53:07
ComboFix3.txt 2008-04-29 23:40:36
ComboFix4.txt 2008-04-27 20:18:34
ComboFix5.txt 2008-04-26 17:45:39

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

307 --- E O F --- 2008-04-24 16:46:15
 
Can you do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Also tell me how your PC is running
 
DSS create only main.txt

main.txt
Deckard's System Scanner v20071014.68
Run by R on 2008-05-04 14:41:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-04 14:41:23
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\mdn2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\System32\conime.exe
C:\Users\R\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Wah] C:\Program Files\Common Files\Mdn2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: AVerQuick.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: ت&صدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: إرسال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: إر&سال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\1\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: CardBusService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\System32\Crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - E:\2\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\System32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


--
End of file - 14648 bytes

-- Files created between 2008-04-04 and 2008-05-04 -----------------------------

2008-05-02 14:16:33 0 d-------- C:\Combo-Fix
2008-05-02 14:13:31 3456 -r------- C:\Windows\system32\AVerIO.sys
2008-05-02 14:13:31 49152 -r------- C:\Windows\system32\AVerIO.dll <Not Verified; ; AVerIO>
2008-05-02 14:13:29 73728 -r------- C:\Windows\system32\CardID.dll <Not Verified; AVerMedia Technologies, Inc.; >
2008-05-02 14:13:26 253952 -r------- C:\Windows\system32\sptlib02.dll
2008-05-02 14:13:26 262144 -r------- C:\Windows\system32\sptlib01.dll
2008-05-02 14:12:49 0 d-------- C:\Program Files\Common Files\AVerMedia
2008-05-01 14:28:56 0 d-------- C:\fsaua.data
2008-05-01 01:53:31 0 d-------- C:\Program Files\boost
2008-04-30 11:56:16 0 d-------- C:\Users\R\DoctorWeb
2008-04-30 02:07:00 0 d-------- C:\CTV_TEMP
2008-04-29 23:38:32 0 d-------- C:\Program Files\DScaler
2008-04-29 23:32:52 161140 --a------ C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 23:32:52 0 d-------- C:\Users\All Users\River Past G5
2008-04-29 23:32:52 0 d-------- C:\Program Files\Common Files\River Past
2008-04-29 23:32:51 0 d-------- C:\Program Files\River Past
2008-04-29 23:12:01 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 23:11:55 0 d-------- C:\Program Files\DVDVideoSoft
2008-04-28 21:33:36 0 d-------- C:\Program Files\QuickMediaConverter
2008-04-26 19:33:45 0 d-------- C:\Program Files\Trend Micro
2008-04-26 14:45:34 68096 --a------ C:\Windows\zip.exe
2008-04-26 14:45:34 49152 --a------ C:\Windows\VFind.exe
2008-04-26 14:45:34 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-26 14:45:34 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-26 14:45:34 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-26 14:45:34 98816 --a------ C:\Windows\sed.exe
2008-04-26 14:45:34 80412 --a------ C:\Windows\grep.exe
2008-04-26 14:45:34 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-26 14:45:24 0 d-------- C:\k
2008-04-26 13:44:00 0 d-------- C:\Program Files\CCleaner
2008-04-26 09:51:13 11254 --a------ C:\Windows\system32\locate.com
2008-04-26 09:49:23 0 d-------- C:\MGtools
2008-04-26 09:49:09 1238055 --a------ C:\MGtools.exe
2008-04-26 08:06:37 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-26 08:06:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 08:04:44 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-26 08:01:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 07:54:36 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-26 05:35:23 0 d-------- C:\Program Files\AVG
2008-04-26 05:35:21 0 d-------- C:\Users\All Users\avg8
2008-04-26 03:09:03 0 d-------- C:\Program Files\Celtx
2008-04-26 02:00:36 414272 --a------ C:\Windows\system32\DivXc32f.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-26 02:00:35 414272 --a------ C:\Windows\system32\DivXc32.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-26 02:00:34 626688 --a------ C:\Windows\system32\xvid.dll
2008-04-26 02:00:34 0 d-------- C:\Program Files\WinVDRPRO
2008-04-26 01:41:04 0 d-------- C:\Program Files\MatroskaProp
2008-04-16 10:37:18 0 d-------- C:\Program Files\QuickTime
2008-04-16 10:37:15 0 d-------- C:\Users\All Users\Apple Computer
2008-04-16 10:33:31 0 d-------- C:\Users\All Users\Apple
2008-04-16 10:33:31 0 d-------- C:\Program Files\Apple Software Update
2008-04-15 20:19:20 0 d-------- C:\Program Files\DivXLand
2008-04-13 02:28:01 0 d-------- C:\Poker
2008-04-13 02:09:25 0 d-------- C:\Microgaming
2008-04-11 01:24:17 0 d-------- C:\Programs
2008-04-11 01:02:16 0 d-------- C:\Program Files\LearnPoker
2008-04-07 20:16:12 0 d-------- C:\Program Files\ChrisTV
2008-04-07 19:01:22 0 d-------- C:\Program Files\Common Files\NacreWare
2008-04-07 17:38:49 0 d-------- C:\Program Files\ChrisTV PVR
2008-04-07 16:47:00 0 d-------- C:\ChrisTV PVR
2008-04-06 14:31:36 205792 --a------ C:\GDIPFONTCACHEV1.DAT
2008-04-05 16:37:19 0 d-------- C:\Users\All Users\Team MediaPortal
2008-04-05 16:36:23 0 d-------- C:\Program Files\Team MediaPortal
2008-04-05 12:41:02 0 d-------- C:\Windows\Driver Cache
2008-04-05 12:39:15 0 d-------- C:\Program Files\AVerMedia
2008-04-04 17:28:36 0 d-------- C:\Program Files\AMC2000


-- Find3M Report ---------------------------------------------------------------

2008-05-02 14:12:49 0 d-------- C:\Program Files\Common Files
2008-04-29 23:37:20 0 d-------- C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:20:52 0 d-------- C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 21:20:29 0 d-------- C:\Program Files\Norton Internet Security
2008-04-29 21:20:28 0 d-------- C:\Program Files\My Ebook Library
2008-04-29 21:20:28 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-29 21:20:26 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 21:20:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-26 08:06:49 0 d-------- C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 07:54:08 0 d-------- C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 04:35:05 0 d-------- C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 03:09:52 0 d-------- C:\Users\R\AppData\Roaming\Greyfirst
2008-04-25 02:29:45 0 d-------- C:\Program Files\Movienizer
2008-04-20 01:45:29 0 d-------- C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 12:35:37 0 d-------- C:\Program Files\KeyScrambler
2008-04-15 19:49:57 0 d-------- C:\Users\R\AppData\Roaming\Jubler
2008-04-15 18:58:03 0 d-------- C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 21:44:26 0 d-------- C:\Program Files\DivX
2008-04-10 05:02:10 0 d-------- C:\Program Files\Windows Mail
2008-04-06 12:30:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-05 10:05:57 0 d-------- C:\Program Files\EMDB
2008-04-02 15:40:29 0 d-------- C:\Program Files\Aspell
2008-04-02 10:49:13 0 d-------- C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 23:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 23:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 23:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 23:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 23:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 05:33:04 0 d-------- C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 05:02:48 0 d-------- C:\Users\R\AppData\Roaming\tor
2008-03-30 19:15:02 0 d-------- C:\Program Files\CD Audio Reader Filter
2008-03-30 19:14:47 0 d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 19:14:34 0 d-------- C:\Program Files\RealMedia
2008-03-30 19:12:54 0 d-------- C:\Program Files\SHOUTcast Source
2008-03-30 19:12:46 0 d-------- C:\Program Files\DSP-worx
2008-03-30 19:12:36 0 d-------- C:\Program Files\DirectVobSub
2008-03-28 16:45:04 0 d-------- C:\Program Files\DC++
2008-03-28 02:35:16 0 d-------- C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 02:35:11 0 d-------- C:\Program Files\Uniblue
2008-03-25 17:45:17 0 d-------- C:\Users\R\AppData\Roaming\Autodesk
2008-03-21 22:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 22:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 22:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 22:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-21 00:36:06 0 d-------- C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 11:24:30 0 d-------- C:\Program Files\Crown Forex Trading Station 4
2008-03-19 13:27:39 0 d-------- C:\Users\R\AppData\Roaming\Bytescout SWF To Video Scout
2008-03-17 13:37:50 0 d-------- C:\Program Files\SWiSH v2.0
2008-03-16 18:11:00 0 d-------- C:\Program Files\IMDBScanner
2008-03-15 12:07:24 0 d-------- C:\Users\R\AppData\Roaming\Skype
2008-03-14 17:24:41 0 d-------- C:\Program Files\Shareaza
2008-03-14 16:51:31 0 d-------- C:\Program Files\Ares
2008-03-13 13:30:59 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-13 13:30:27 0 d-------- C:\Program Files\AutoCAD Architecture 2008
2008-03-13 13:07:59 0 d-------- C:\Program Files\Autodesk
2008-03-12 22:44:15 0 d-------- C:\Users\R\AppData\Roaming\Media Player Classic
2008-03-12 22:32:28 0 d-------- C:\Program Files\Gabest
2008-03-12 22:18:25 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-03-12 22:03:39 0 d-------- C:\Program Files\MKVtoolnix
2008-03-12 02:52:26 0 d-------- C:\Users\R\AppData\Roaming\Axosoft
2008-03-12 02:52:16 0 d-------- C:\Program Files\TBFDropZone
2008-03-10 17:05:47 0 d-------- C:\Program Files\uTorrent
2008-03-07 19:42:25 0 d-------- C:\Users\R\AppData\Roaming\Flock
2008-03-07 19:42:23 0 d-------- C:\Program Files\Flock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10. 07. 2007 09:40]
"RtHDVCpl"="RtHDVCpl.exe" [18. 01. 2007 15:46 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [20. 12. 2006 01:16]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07. 12. 2006 18:49]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [29. 01. 2007 13:43]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [17. 01. 2007 15:46]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [06. 11. 2006 19:14]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [01. 11. 2006 10:06]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [01. 11. 2006 13:08]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [30. 04. 2008 01:03]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [30. 04. 2008 01:03]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [13. 01. 2007 10:40]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [13. 01. 2007 10:40]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [13. 01. 2007 10:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [27. 07. 2007 05:32]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [27. 07. 2007 05:00]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [21. 09. 2007 21:21]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11. 01. 2008 20:54]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [28. 11. 2007 20:51]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11. 02. 2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11. 02. 2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11. 02. 2008 20:13]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28. 03. 2008 23:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02. 11. 2006 14:35]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18. 10. 2007 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02. 11. 2006 14:36]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2. 5. 2008 14:13:41]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17. 2. 1999 20:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [20. 12. 2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 19. 04. 2007 12:41 294912 E:\1\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
schedule


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]
AutoRun\command- F:\Autorun.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-04 14:41:42 ------------
 
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
 
Thank you very much for your help and advice.
everything seems clean now and I can Install and run S&D and avg.
only the win32 services (windows defender and WLAN) seems to be corrupted and need windows reinstall to work, but its not the big problem now.
Thanks
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top