Virtumonde, Zlob, Win32..Many infections, please help.

S

strwbrywn20

New member
I installed and followed the directions to run the Kaspersky Onlin Scanner, but IE would send me a "IE has encountered a problem and must shut down" window. I have no problems running Spybot though. Please advise thanks in advance!
************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:03 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\byxijxvp.dll",b
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{098D1E68-1210-40F5-94FA-36AED6647466}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C3B9347-74FB-4488-9F57-8AF49CF0CBAC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C980EEE-02EE-4ACE-9C94-EA4D29DEE607}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{95994582-EC05-4B26-B8DD-FB7C9F20B144}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C81268F0-79A9-4374-91B3-1B1982F78AB9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB735599-802C-4AEE-8361-392ACB3F82C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{098D1E68-1210-40F5-94FA-36AED6647466}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O24 - Desktop Component 0: (no name) - http://pics.ebaystatic.com/aw/pics/logos/logoEbay_x45.gif

--
End of file - 12683 bytes
 
Hi and welcome to the forums. :)
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by
teachers of Malware Removal University.
Please be patient. :)
 
Hello :)

Rename HijackThis.exe to Scanner.exe by doing the following;

  • Navigate to here; C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to Scanner.exe
___________________

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!
____________________

Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt
 
Hi Markka, I followed your directions and am running ComboFix.exe, is it supposed to take a long time to run? It is scanning and says Completed Stage_3, but it's been there for a good hour. Should I just wait and let it keep doing this?
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:47 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{098D1E68-1210-40F5-94FA-36AED6647466}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C3B9347-74FB-4488-9F57-8AF49CF0CBAC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C980EEE-02EE-4ACE-9C94-EA4D29DEE607}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{95994582-EC05-4B26-B8DD-FB7C9F20B144}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C81268F0-79A9-4374-91B3-1B1982F78AB9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB735599-802C-4AEE-8361-392ACB3F82C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{098D1E68-1210-40F5-94FA-36AED6647466}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 10730 bytes
 
ComboFix 07-11-19.4 - User 2007-11-28 9:17:46.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.218 [GMT -8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\kdinf.exe
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\rasqervy.dll
C:\WINDOWS\system32\sdfinacs.dll
C:\WINDOWS\system32\wuasirvy.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-28 08:48 23,696 --a------ C:\WINDOWS\system32\yayaayw.dll
2007-11-27 21:48 5 --a------ C:\WINDOWS\system32\sdfixwcs.dll
2007-11-27 11:44 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-27 07:30 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-11-27 07:29 <DIR> d-------- C:\MGtools
2007-11-27 07:29 69,272 --a------ C:\MGlogs.zip
2007-11-25 19:26 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
2007-11-25 19:25 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-25 13:30 787,459 --ahs---- C:\WINDOWS\system32\tyrwpkas.ini
2007-11-25 13:30 85,056 --a------ C:\WINDOWS\system32\sakpwryt.dll
2007-11-25 13:28 71,232 --a------ C:\WINDOWS\system32\dmjgkrni.exe
2007-11-24 19:06 81,472 --a------ C:\WINDOWS\system32\ppxqqoqt.dll
2007-11-24 17:48 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-24 17:48 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-11-24 10:40 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Sunbelt Software
2007-11-23 21:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 20:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-23 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:20 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-23 20:20 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-23 20:20 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-23 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-23 19:07 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-23 19:07 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-23 19:07 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-23 18:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-23 14:51 <DIR> d-------- C:\Documents and Settings\User\Application Data\Sunbelt Software
2007-11-23 14:48 34,688 --a------ C:\WINDOWS\system32\drivers\lbrtfdc.sys
2007-11-23 14:48 34,688 --a--c--- C:\WINDOWS\system32\dllcache\lbrtfdc.sys
2007-11-23 14:48 18,688 --a------ C:\WINDOWS\system32\drivers\cdaudio.sys
2007-11-23 14:48 8,192 --a------ C:\WINDOWS\system32\drivers\i2omgmt.sys
2007-11-23 14:48 8,192 --a--c--- C:\WINDOWS\system32\dllcache\i2omgmt.sys
2007-11-23 14:48 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2007-11-23 14:48 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2007-11-23 14:47 8,192 --a------ C:\WINDOWS\system32\drivers\changer.sys
2007-11-23 14:47 8,192 --a--c--- C:\WINDOWS\system32\dllcache\changer.sys
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-11-23 11:53 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-11-23 11:03 776,399 --ahs---- C:\WINDOWS\system32\pvxjixyb.ini
2007-11-23 11:00 83,520 --a------ C:\WINDOWS\system32\grgumgsm.dll
2007-11-23 10:54 71,232 --a------ C:\WINDOWS\system32\snvbavan.exe
2007-11-22 13:16 1,938,077 --ahs---- C:\WINDOWS\system32\rchqtbli.ini
2007-11-22 13:16 85,056 --a------ C:\WINDOWS\system32\ilbtqhcr.dll
2007-11-22 13:12 79,936 --a------ C:\WINDOWS\system32\yuybnsfs.dll
2007-11-22 13:03 71,232 --a------ C:\WINDOWS\system32\ruphjudf.exe
2007-11-21 13:06 85,056 --a------ C:\WINDOWS\system32\xgspuwvt.dll
2007-11-21 13:03 71,232 --a------ C:\WINDOWS\system32\rqipflfx.exe
2007-11-20 18:14 84,544 --a------ C:\WINDOWS\system32\jcgamilf.dll
2007-11-20 13:06 689,241 --ahs---- C:\WINDOWS\system32\cwxaveia.ini
2007-11-20 13:06 85,056 --a------ C:\WINDOWS\system32\aievaxwc.dll
2007-11-19 23:18 <DIR> d-------- C:\Westwood
2007-11-19 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 17:22 <DIR> d-------- C:\VundoFix Backups
2007-11-19 13:12 83,008 --a------ C:\WINDOWS\system32\rklbpofl.dll
2007-11-19 13:09 1,349,431 --ahs---- C:\WINDOWS\system32\lgclyoux.ini
2007-11-19 13:01 71,232 --a------ C:\WINDOWS\system32\yenyhngn.exe
2007-11-18 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 12:21 678,216 --ahs---- C:\WINDOWS\system32\catdmtmi.ini
2007-11-18 00:09 <DIR> d-------- C:\Program Files\QdrModule
2007-11-18 00:09 <DIR> d-------- C:\Program Files\QdrDrive
2007-11-18 00:09 36,352 --a------ C:\WINDOWS\system32\ddccyya.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 21:00 --------- d-----w C:\Program Files\Pure Networks
2007-11-20 01:17 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-20 01:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 01:13 --------- d-----w C:\Program Files\Yahoo!
2007-11-20 01:13 --------- d-----w C:\Program Files\Cosmi
2007-10-30 02:05 --------- d-----w C:\Documents and Settings\Jacob\Application Data\Yahoo!
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-12 05:59 --------- d-----w C:\Documents and Settings\Jacob\Application Data\MySpace
2007-10-07 02:35 --------- d-----w C:\Program Files\Java
2007-10-03 21:48 --------- d-----w C:\Program Files\Picasa2
2007-10-01 03:12 --------- d-----w C:\Documents and Settings\User\Application Data\MySpace
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2003-11-03 04:52 301,321 -c--a-w C:\Documents and Settings\All Users\Office 2003 Editions 60 Day Trial.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0e407384-d1b5-4d7d-8193-599611444033}]
C:\WINDOWS\system32\rnyisryf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{506E4BF2-FFB3-453E-8490-C23CE919647F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CFCB525-04E9-4959-8EBE-AF65BA683A86}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7e0737d2-015f-44aa-873a-2f4276526b21}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{861BDB04-BFB9-4A78-9E66-E07F1BADDB57}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95A0B330-5CB5-4CD3-A760-1ACF72FE7937}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96CB6BA5-59B8-4BCE-88EE-5AD66BDC6670}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0D6FAB8-9967-411C-9516-69CBC547329A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42471BC-CD91-445E-94EF-474145D84694}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 23:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 17:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 16:59]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 15:17 C:\WINDOWS\agrsmmsg.exe]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-03-08 14:27]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-04-20 14:56 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 19:08]
"TPSMain"="TPSMain.exe" [2004-12-28 15:02 C:\WINDOWS\system32\TPSMain.exe]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 06:59]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 15:51]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 09:07]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 15:25]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 02:06]
"ZoomingHook"="ZoomingHook.exe" [2004-05-01 12:41 C:\WINDOWS\system32\ZoomingHook.exe]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 12:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 01:56]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-04-12 15:18]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 09:55]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"CFSServ.exe"="CFSServ.exe" []
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 15:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-18 16:37:12]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\yayaayw.dll [2007-11-28 08:48 23696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bbttgglc]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lnmzzqct]
lnmzzqct.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaayw]
yayaayw.dll 2007-11-28 08:48 23696 C:\WINDOWS\system32\yayaayw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2004-09-07 13:03 1077301 --a------ C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

R1 SerTVOutCtlr;TOSHIBA Controls Driver -EPIOMngr;C:\WINDOWS\system32\drivers\EPIOMngr.sys
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
S1 StickyMesger;StickyMesger;\??\C:\Program Files\TOSHIBA\Accessibility\StickyMesger.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 09:24:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 9:27:59
.
--- E O F ---
 
I was finally able to run the Kspersky Scanner.......

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 29, 2007 12:15:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 468054
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 61386
Number of viruses found: 12
Number of infected objects: 59
Number of suspicious objects: 0
Duration of the scan process: 00:41:11

Infected Object Name / Virus Name / Last Action
C:\37.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\37.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\37.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\cert8.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\history.dat Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\key3.db Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\07aoxcuo.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012007112820071129\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\QdrModule\QdrModule9.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kdinf.exe.vir Infected: Trojan.Win32.DNSChanger.acs skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kdmqg.exe.vir Infected: Trojan.Win32.DNSChanger.acs skipped
C:\qoobox\Quarantine\catchme2007-11-27_235921.12.zip/pmkji.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aza skipped
C:\qoobox\Quarantine\catchme2007-11-27_235921.12.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP473\A0073662.dll Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP473\A0073663.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP473\A0073666.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0074773.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0074810.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474\A0074814.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP476\A0075212.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP477\A0075443.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478\A0075532.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478\A0075534.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478\A0075679.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478\A0075689.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478\A0076679.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP479\A0078061.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP479\A0078159.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP479\A0078197.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP480\A0078217.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP480\A0078286.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP480\A0078289.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP480\A0078290.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP481\A0078439.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP481\A0078441.exe Infected: not-a-virus:AdWare.Win32.Agent.vu skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP482\A0078469.exe Infected: Trojan.Win32.DNSChanger.acs skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP483\A0078579.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aza skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP488\A0078984.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aza skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP488\A0078999.exe Infected: Trojan.Win32.DNSChanger.acs skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP490\change.log Object is locked skipped
C:\VundoFix Backups\cjxqyays.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\ktpbuyop.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\lnmzzqct.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\lrkyqokg.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\qytdvgmw.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\rkoftbgj.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\uiqzomwn.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\vfmsdqfk.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aievaxwc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddccyya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\WINDOWS\system32\dmjgkrni.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\grgumgsm.dll Infected: Trojan.Win32.BHO.zo skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ilbtqhcr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\kddlp.exe Infected: Trojan.Win32.DNSChanger.acs skipped
C:\WINDOWS\system32\kddrd.exe Infected: Trojan.Win32.DNSChanger.acs skipped
C:\WINDOWS\system32\kdjiu.exe Infected: Trojan.Win32.DNSChanger.acs skipped
C:\WINDOWS\system32\kdmrn.exe Infected: Trojan.Win32.DNSChanger.acs skipped
C:\WINDOWS\system32\kdrzj.exe Infected: Trojan.Win32.DNSChanger.acs skipped
C:\WINDOWS\system32\ppxqqoqt.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.h skipped
C:\WINDOWS\system32\rqipflfx.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\ruphjudf.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\sakpwryt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\snvbavan.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xgspuwvt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\yenyhngn.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7a0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Hello :)

Rename HijackThis.exe to Scanner.exe by doing the following;

  • Navigate to here; C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to Scanner.exe
_______________

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.
__________________

Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
C:\Documents and Settings\Administrator\WINDOWS

File::
C:\37.tmp
C:\WINDOWS\system32\aievaxwc.dll
C:\WINDOWS\system32\catdmtmi.ini
C:\WINDOWS\system32\cwxaveia.ini
C:\WINDOWS\system32\ddccyya.dll
C:\WINDOWS\system32\dmjgkrni.exe
C:\WINDOWS\system32\grgumgsm.dll
C:\WINDOWS\system32\ilbtqhcr.dll
C:\WINDOWS\system32\jcgamilf.dll
C:\WINDOWS\system32\kddlp.exe
C:\WINDOWS\system32\kddrd.exe
C:\WINDOWS\system32\kdjiu.exe
C:\WINDOWS\system32\kdmrn.exe
C:\WINDOWS\system32\kdrzj.exe
C:\WINDOWS\system32\lgclyoux.ini
C:\WINDOWS\system32\lnmzzqct.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ppxqqoqt.dll
C:\WINDOWS\system32\pvxjixyb.ini
C:\WINDOWS\system32\rchqtbli.ini
C:\WINDOWS\system32\rklbpofl.dll
C:\WINDOWS\system32\rqipflfx.exe
C:\WINDOWS\system32\ruphjudf.exe
C:\WINDOWS\system32\rnyisryf.dll
C:\WINDOWS\system32\sakpwryt.dll
C:\WINDOWS\system32\sdfixwcs.dll
C:\WINDOWS\system32\snvbavan.exe
C:\WINDOWS\system32\tyrwpkas.ini
C:\WINDOWS\system32\xgspuwvt.dll
C:\WINDOWS\system32\yayaayw.dll
C:\WINDOWS\system32\yenyhngn.exe
C:\WINDOWS\system32\yuybnsfs.dll

Folder::
C:\Program Files\QdrDrive
C:\Program Files\QdrModule

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0e407384-d1b5-4d7d-8193-599611444033}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{506E4BF2-FFB3-453E-8490-C23CE919647F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CFCB525-04E9-4959-8EBE-AF65BA683A86}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7e0737d2-015f-44aa-873a-2f4276526b21}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{861BDB04-BFB9-4A78-9E66-E07F1BADDB57}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95A0B330-5CB5-4CD3-A760-1ACF72FE7937}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96CB6BA5-59B8-4BCE-88EE-5AD66BDC6670}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0D6FAB8-9967-411C-9516-69CBC547329A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42471BC-CD91-445E-94EF-474145D84694}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bbttgglc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lnmzzqct]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaayw]
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
_________________

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

O17 - HKLM\System\CCS\Services\Tcpip\..\{098D1E68-1210-40F5-94FA-36AED6647466}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C3B9347-74FB-4488-9F57-8AF49CF0CBAC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C980EEE-02EE-4ACE-9C94-EA4D29DEE607}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{95994582-EC05-4B26-B8DD-FB7C9F20B144}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C81268F0-79A9-4374-91B3-1B1982F78AB9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB735599-802C-4AEE-8361-392ACB3F82C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{098D1E68-1210-40F5-94FA-36AED6647466}: NameServer = 208.67.220.220,208.67.222.222
______________________

Post:
- A fresh HijackThis log
- Contents of the logfile C:\fixwareout\report.txt
- Logfile of ComboFix
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:53 AM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\Scanner.exe\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {506E4BF2-FFB3-453E-8490-C23CE919647F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6CFCB525-04E9-4959-8EBE-AF65BA683A86} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: (no name) - {7e0737d2-015f-44aa-873a-2f4276526b21} - (no file)
O2 - BHO: (no name) - {861BDB04-BFB9-4A78-9E66-E07F1BADDB57} - (no file)
O2 - BHO: (no name) - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {95A0B330-5CB5-4CD3-A760-1ACF72FE7937} - (no file)
O2 - BHO: (no name) - {96CB6BA5-59B8-4BCE-88EE-5AD66BDC6670} - (no file)
O2 - BHO: (no name) - {A0D6FAB8-9967-411C-9516-69CBC547329A} - (no file)
O2 - BHO: (no name) - {D42471BC-CD91-445E-94EF-474145D84694} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\pboopdos.dll",b
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: abc32reg - C:\Documents and Settings\All Users\Documents\Settings\abc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 11421 bytes
 
ComboFix 07-11-19.4 - User 2007-11-30 10:02:38.13 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-30 01:21 <DIR> d-------- C:\Program Files\Java
2007-11-29 19:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-29 19:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2007-11-29 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-29 19:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-29 18:23 790,259 ---hs---- C:\WINDOWS\system32\sodpoobp.ini
2007-11-29 18:22 85,056 --a------ C:\WINDOWS\system32\pboopdos.dll
2007-11-28 22:19 <DIR> d-------- C:\MGtools
2007-11-27 11:44 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-27 07:30 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-11-27 07:29 56,316 --a------ C:\MGlogs.zip
2007-11-25 19:26 <DIR> d-------- C:\Documents and Settings\User\Application Data\Grisoft
2007-11-25 19:25 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-24 17:48 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-24 17:48 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-11-24 10:40 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Sunbelt Software
2007-11-23 21:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 20:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-23 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:20 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-23 20:20 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-23 20:20 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-23 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-23 19:07 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-23 19:07 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-23 19:07 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-23 18:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-23 14:51 <DIR> d-------- C:\Documents and Settings\User\Application Data\Sunbelt Software
2007-11-23 14:48 34,688 --a------ C:\WINDOWS\system32\drivers\lbrtfdc.sys
2007-11-23 14:48 34,688 --a--c--- C:\WINDOWS\system32\dllcache\lbrtfdc.sys
2007-11-23 14:48 18,688 --a------ C:\WINDOWS\system32\drivers\cdaudio.sys
2007-11-23 14:48 8,192 --a------ C:\WINDOWS\system32\drivers\i2omgmt.sys
2007-11-23 14:48 8,192 --a--c--- C:\WINDOWS\system32\dllcache\i2omgmt.sys
2007-11-23 14:48 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2007-11-23 14:48 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2007-11-23 14:47 8,192 --a------ C:\WINDOWS\system32\drivers\changer.sys
2007-11-23 14:47 8,192 --a--c--- C:\WINDOWS\system32\dllcache\changer.sys
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-23 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-11-23 11:53 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-11-19 23:18 <DIR> d-------- C:\Westwood
2007-11-19 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 17:22 <DIR> d-------- C:\VundoFix Backups
2007-11-18 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 00:09 <DIR> d-------- C:\Program Files\QdrModule
2007-11-18 00:09 <DIR> d-------- C:\Program Files\QdrDrive
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-11 22:00 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\Yahoo!
2007-10-11 21:59 <DIR> d-------- C:\Documents and Settings\Jacob\Application Data\MySpace
2007-10-10 12:48 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 07:22 --------- d-----w C:\Program Files\Yahoo!
2007-11-30 07:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-28 23:33 --------- d-----w C:\Program Files\Google
2007-11-23 21:00 --------- d-----w C:\Program Files\Pure Networks
2007-11-20 01:17 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-20 01:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 01:13 --------- d-----w C:\Program Files\Cosmi
2007-10-03 21:48 --------- d-----w C:\Program Files\Picasa2
2007-10-01 03:12 --------- d-----w C:\Documents and Settings\User\Application Data\MySpace
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2003-11-03 04:52 301,321 -c--a-w C:\Documents and Settings\All Users\Office 2003 Editions 60 Day Trial.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_ 9.25.37.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-30 03:23:48 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-30 03:23:48 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-30 03:23:48 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2005-12-03 18:36:37 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-30 08:44:20 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-12-03 18:36:37 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-30 08:44:20 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-03 18:36:37 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-30 08:44:20 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-07 14:00:00 8,179 ----a-w C:\WINDOWS\system32\dmremote.dll
+ 2004-08-07 14:00:00 8,284 ----a-w C:\WINDOWS\system32\dmremote.dll
- 2004-08-05 14:00:00 106,496 ----a-w C:\WINDOWS\system32\fltmc.dll
+ 2004-08-07 16:00:00 98,304 ----a-w C:\WINDOWS\system32\fltmc.dll
+ 2007-06-13 10:23:07 75,780 ----a-w C:\WINDOWS\system32\kdmci.exe
- 2004-08-05 14:00:00 34,408 ----a-w C:\WINDOWS\system32\krnl386.dll
+ 2004-08-08 13:00:00 34,408 ----a-w C:\WINDOWS\system32\krnl386.dll
- 2004-08-05 16:00:00 3,521 ----a-w C:\WINDOWS\system32\sndrec32.dll
+ 2004-08-05 14:00:00 61,036 ----a-w C:\WINDOWS\system32\sndrec32.dll
+ 2007-11-30 17:48:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_74c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{506E4BF2-FFB3-453E-8490-C23CE919647F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CFCB525-04E9-4959-8EBE-AF65BA683A86}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7e0737d2-015f-44aa-873a-2f4276526b21}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{861BDB04-BFB9-4A78-9E66-E07F1BADDB57}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95A0B330-5CB5-4CD3-A760-1ACF72FE7937}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96CB6BA5-59B8-4BCE-88EE-5AD66BDC6670}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0D6FAB8-9967-411C-9516-69CBC547329A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D42471BC-CD91-445E-94EF-474145D84694}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 23:32]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-27 15:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 17:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 16:59]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 15:17 C:\WINDOWS\agrsmmsg.exe]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-03-08 14:27]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-04-20 14:56 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 19:08]
"TPSMain"="TPSMain.exe" [2004-12-28 15:02 C:\WINDOWS\system32\TPSMain.exe]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 06:59]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 15:51]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 09:07]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 15:25]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 02:06]
"ZoomingHook"="ZoomingHook.exe" [2004-05-01 12:41 C:\WINDOWS\system32\ZoomingHook.exe]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 12:06]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2005-04-12 15:18]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 09:55]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"CFSServ.exe"="CFSServ.exe" []
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 15:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"b4bda793"="C:\WINDOWS\system32\pboopdos.dll" [2007-11-29 18:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-18 16:37:12]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abc32reg]
C:\Documents and Settings\All Users\Documents\Settings\abc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2004-09-07 13:03 1077301 --a------ C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

R1 SerTVOutCtlr;TOSHIBA Controls Driver -EPIOMngr;C:\WINDOWS\system32\drivers\EPIOMngr.sys
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
S1 StickyMesger;StickyMesger;\??\C:\Program Files\TOSHIBA\Accessibility\StickyMesger.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 10:08:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 10:10:31
C:\ComboFix2.txt ... 2007-11-30 01:10
C:\ComboFix3.txt ... 2007-11-28 09:28
.
--- E O F ---
 
Username "User" - 2007-11-30 0:43:11 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"TOSHIBA Accessibility"="C:\\Program Files\\TOSHIBA\\Accessibility\\FnKeyHook.exe"
"TCtryIOHook"="TCtrlIOHook.exe"
"TFncKy"="TFncKy.exe"
"CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe"
"TPSMain"="TPSMain.exe"
"SVPWUTIL"="C:\\Program Files\\Toshiba\\Windows Utilities\\SVPWUTIL.exe SVPwUTIL"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"HWSetup"="C:\\Program Files\\TOSHIBA\\TOSHIBA Applet\\HWSetup.exe hwSetUP"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"ZoomingHook"="ZoomingHook.exe"
"TPNF"="C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"NDSTray.exe"="NDSTray.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"CFSServ.exe"="CFSServ.exe -NoClient"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"b4bda793"="rundll32.exe \"C:\\WINDOWS\\system32\\pboopdos.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
 
Hello :)

Disable AVG Anti-Spyware resident shield

  • Disconnect from the internet.
  • Double-click on the AVG Tray Icon
  • Double-click on "AVG Resident Shield"
  • Uncheck "Turn on AVG Resident Shield Protection" then click OK.
_________________

Open HijackThis, Click Do a system scan only, checkmark this/these. Then close all other windows except HijackThis and press fix checked.

O2 - BHO: (no name) - {506E4BF2-FFB3-453E-8490-C23CE919647F} - (no file)
O2 - BHO: (no name) - {6CFCB525-04E9-4959-8EBE-AF65BA683A86} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: (no name) - {7e0737d2-015f-44aa-873a-2f4276526b21} - (no file)
O2 - BHO: (no name) - {861BDB04-BFB9-4A78-9E66-E07F1BADDB57} - (no file)
O2 - BHO: (no name) - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - (no file)
O2 - BHO: (no name) - {95A0B330-5CB5-4CD3-A760-1ACF72FE7937} - (no file)
O2 - BHO: (no name) - {96CB6BA5-59B8-4BCE-88EE-5AD66BDC6670} - (no file)
O2 - BHO: (no name) - {A0D6FAB8-9967-411C-9516-69CBC547329A} - (no file)
O2 - BHO: (no name) - {D42471BC-CD91-445E-94EF-474145D84694} - (no file)
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\pboopdos.dll",b
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: abc32reg - C:\Documents and Settings\All Users\Documents\Settings\abc32.dll (file missing)
______________________

Make your hidden files visible:
  • Click start
  • Click my computer
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
___________________

Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
____________________

Please Download Dr.Web CureIt and save it to your desktop.

Run a scan with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
__________________

Please then reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
_____________________

Delete these files: (Using windows explorer; windows key +e)

C:\WINDOWS\system32\pboopdos.dll
C:\WINDOWS\system32\sodpoobp.ini
C:\WINDOWS\system32\fltmc.dll
C:\WINDOWS\system32\kdmci.exe
C:\WINDOWS\system32\sndrec32.dll
____________________

Post:
- A fresh HijackThis log
- Cure-it report
 
Hello...I completed everything that you requested. I could not find this file in the HJT scan.

O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\pboopdos.dll",b

And these files were not found from the last set of directions..

C:\WINDOWS\system32\pboopdos.dll
C:\WINDOWS\system32\fltmc.dll

________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:48 AM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Scanner.exe\scanner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 9073 bytes
 
RegUBP2b-User.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\Program Files\Mozilla Firefox\smitRem;Tool.Prockill;Moved.;
pv.exe;C:\Program Files\Mozilla Firefox\smitRem;Program.PrcView.3741;Moved.;
QdrModule9.exe;C:\Program Files\QdrModule;Trojan.Click.origin;Incurable.Moved.;
A0073662.dll;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP473;Adware.SearchAid.origin;Moved.;
A0075023.exe;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474;Tool.Prockill;Moved.;
A0075024.exe;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474;Program.PrcView.3741;Moved.;
A0075035.exe;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474;Tool.Prockill;Moved.;
A0075036.exe;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP474;Program.PrcView.3741;Moved.;
A0075264.reg;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP476;Trojan.StartPage.1505;Deleted.;
A0075585.reg;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478;Trojan.StartPage.1505;Deleted.;
A0075653.reg;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478;Trojan.StartPage.1505;Deleted.;
A0077736.reg;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478;Trojan.StartPage.1505;Deleted.;
A0077819.reg;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP478;Trojan.StartPage.1505;Deleted.;
A0078872.dll;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP487;Trojan.Juan.25;Deleted.;
A0079020.exe;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP488;Tool.Prockill;Moved.;
A0079021.exe;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP488;Program.PrcView.3741;Moved.;
A0081616.dll;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP495;Trojan.Juan.25;Deleted.;
A0081620.dll;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP495;Trojan.Juan.25;Deleted.;
A0083048.reg;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP499;Trojan.StartPage.1505;Deleted.;
A0083049.exe;C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP499;Trojan.Click.origin;Incurable.Moved.;
 
Hello :)

Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post a fresh HijackThis log & Kaspersky's report.
 
I cannot scan w/ Kaspersky Online Scanner because IE keeps shutting down..Should I use the Kaspersky File scanner instead?

By the way....this is the virus that keeps coming up when I open IE.

hxxp://microcbs.com/eur/sk.exe\[FSG]\[Embedded#4000]

Win32:Neptunia-AS [Trj]
 
Last edited by a moderator:
Hello :)

  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start -> Run
  • Copy and paste the contents of the below codebox into the run box
    Code: 
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic, along with a new HijackThis log
 
You must log in or register to reply here.
Back
Top