trojan and hijack log

[john123]

Okay,

here is the next log from combofix.
Thanks


ComboFix 07-12-15.5 - John 2007-12-17 10:36:17.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.524 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\22.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\2291350389.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\22.tmp
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\2291350389.dat

.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-16 20:25 . 2007-12-16 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-16 18:15 . 2007-12-04 20:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-13 21:49 . 2007-12-16 23:40 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-12 19:28 . 2007-12-16 22:52 <DIR> d-------- C:\Program Files\iTunes
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-05 15:32 . 2007-12-05 15:32 <DIR> d-------- C:\Deckard
2007-12-05 15:01 . 2007-12-05 15:01 <DIR> d-------- C:\New Folder (2)
2007-12-04 23:57 . 2007-12-04 23:57 <DIR> d-------- C:\KAV
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 20:19 . 2007-12-04 20:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-03 22:04 . 2007-12-03 22:10 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-03 21:59 . 2007-12-03 21:59 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-03 19:25 . 2007-12-03 19:25 <DIR> d-------- C:\Program Files\New Folder 1
2007-12-03 19:24 . 2007-12-03 19:24 <DIR> d-------- C:\Documents and Settings\John\Application Data\DivX
2007-12-03 19:23 . 2007-10-19 19:56 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-12-03 19:23 . 2007-10-19 19:56 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-03 19:23 . 2007-10-19 19:56 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-03 19:09 . 2007-12-03 19:09 <DIR> d-------- C:\XRAYS
2007-12-03 19:09 . 1993-05-12 00:00 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2007-12-03 19:09 . 1993-04-28 00:00 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\finalburner
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\FinalBurner Video DVD
2007-12-03 17:12 . 2007-12-03 17:12 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-03 17:12 . 2007-12-03 17:12 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 17:11 . 2007-12-03 18:53 <DIR> d-------- C:\Program Files\Gabest
2007-12-03 17:07 . 2007-12-03 17:07 <DIR> d-------- C:\New Folder
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\WINDOWS\ASYM
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\CLINATLS
2007-12-02 12:40 . 1998-08-24 16:24 109 --a------ C:\WINDOWS\TB50.INI
2007-12-02 12:40 . 2007-12-02 12:40 0 --a------ C:\WINDOWS\asym.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 15:35 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent DNA
2007-12-17 03:54 --------- d-----w C:\Program Files\MSN Messenger
2007-12-17 03:53 --------- d-----w C:\Program Files\ltmoh
2007-12-17 03:50 --------- d-----w C:\Program Files\Google
2007-12-17 03:49 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-17 03:47 --------- d-----w C:\Program Files\Apoint2K
2007-12-17 03:09 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent
2007-12-16 22:00 --------- d-----w C:\Program Files\Eraser
2007-12-16 20:04 --------- d-----w C:\Documents and Settings\John\Application Data\Skype
2007-12-14 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-13 00:28 --------- d-----w C:\Program Files\QuickTime
2007-12-13 00:28 --------- d-----w C:\Program Files\iPod
2007-12-13 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-06 22:40 --------- d-----w C:\Documents and Settings\John\Application Data\AVG7
2007-12-04 00:43 --------- d-----w C:\Program Files\DivX
2007-12-03 21:02 --------- d-----w C:\Program Files\TVU Player
2007-11-14 14:57 --------- d-----w C:\Program Files\PokerStars
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-03 23:35 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-03 18:39 --------- d-----w C:\Program Files\BitTorrent
2007-10-20 00:56 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-08 19:14 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-11-28 02:13 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-11-21 05:20 2,017,280 ----a-w C:\Program Files\ewpwin264en.exe
2006-10-13 01:32 22,616 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT
2006-02-28 01:15 2,509,704 ----a-w C:\Program Files\fgf171.exe
2006-02-27 23:08 2,417,824 ----a-w C:\Program Files\winzip90sr1.exe
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-16_20.29.55.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2003-08-01 19:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2007-11-12 14:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2007-11-26 16:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2007-06-04 16:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2007-10-30 15:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
- 2006-08-23 2108 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-11-21 15:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 18:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2007-10-18 14:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 19:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 14:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 16:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 13:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 20:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 13:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 13:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 20:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 16:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 16:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-06-08 14:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 15:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 2007-09-17 14:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 23:46]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-08-07 16:07]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-03 13:39]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 C:\WINDOWS\RTHDCPL.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 14:13]
"NDSTray.exe"="NDSTray.exe" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 12:58 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 17:50 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-12-27 19:34 C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 20:16 C:\WINDOWS\system32\TPSMain.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 14:37]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 17:29 C:\WINDOWS\agrsmmsg.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 15:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 14:41]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-26 16:30]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-13 01:18]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-08 22:09]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-21 21:00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\system32\DRIVERS\DLKRCB.SYS
S4 WMPNetworkSvcaspnet_state;Windows Media Player Network Sharing Service WMPNetworkSvcaspnet_state;C:\WINDOWS\system32\w32drv10.exe srv

.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 20:18:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-02-13 13:42:32 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-02-13 13:42:33 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 10:42:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

Thanks


PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2007-12-17 10:43:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-16 20:30
.
2007-12-14 23:18:26 --- E O F ---

[john123]

i forgot to say,

in terms of performance, the only thing i notice is that the internet browser is slow.

cheers

[john123]

also on reboot,

winpatrol has detected a change in a monitored file. file name is HOSTS
c:\windows\system32\drivers\etc\hosts.

it is asking me to accept or recect the change.

not sure if this is one of the changes that you have made with the help you have given me, so i have yet to accept it.

thanks

[forhockey]

Hi John,

Your browser might be slow because your temp cache was cleared. You can allow the changes to be made to your HOSTS file.


Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\WINDOWS\system32\w32drv10.exe

Driver::
WMPNetworkSvcaspnet_state

Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[john123]

Okay here is the next log from comboofix.

thankis

ComboFix 07-12-15.5 - John 2007-12-17 18:54:52.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.622 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\w32drv10.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-17 10:42 . 2007-12-17 12:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-17 10:42 . 2007-12-17 10:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-16 20:25 . 2007-12-16 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-16 18:15 . 2007-12-04 20:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-13 21:49 . 2007-12-16 23:40 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-12 19:28 . 2007-12-16 22:52 <DIR> d-------- C:\Program Files\iTunes
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-05 15:32 . 2007-12-05 15:32 <DIR> d-------- C:\Deckard
2007-12-05 15:01 . 2007-12-05 15:01 <DIR> d-------- C:\New Folder (2)
2007-12-04 23:57 . 2007-12-04 23:57 <DIR> d-------- C:\KAV
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 20:19 . 2007-12-04 20:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-03 22:04 . 2007-12-03 22:10 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-03 21:59 . 2007-12-03 21:59 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-03 19:25 . 2007-12-03 19:25 <DIR> d-------- C:\Program Files\New Folder 1
2007-12-03 19:24 . 2007-12-03 19:24 <DIR> d-------- C:\Documents and Settings\John\Application Data\DivX
2007-12-03 19:23 . 2007-10-19 19:56 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-12-03 19:23 . 2007-10-19 19:56 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-03 19:23 . 2007-10-19 19:56 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-03 19:09 . 2007-12-03 19:09 <DIR> d-------- C:\XRAYS
2007-12-03 19:09 . 1993-05-12 00:00 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2007-12-03 19:09 . 1993-04-28 00:00 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\finalburner
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\FinalBurner Video DVD
2007-12-03 17:12 . 2007-12-03 17:12 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-03 17:12 . 2007-12-03 17:12 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 17:11 . 2007-12-03 18:53 <DIR> d-------- C:\Program Files\Gabest
2007-12-03 17:07 . 2007-12-03 17:07 <DIR> d-------- C:\New Folder
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\WINDOWS\ASYM
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\CLINATLS
2007-12-02 12:40 . 1998-08-24 16:24 109 --a------ C:\WINDOWS\TB50.INI
2007-12-02 12:40 . 2007-12-02 12:40 0 --a------ C:\WINDOWS\asym.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 23:54 --------- d-----w C:\Program Files\Eraser
2007-12-17 23:51 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent DNA
2007-12-17 22:03 --------- d-----w C:\Documents and Settings\John\Application Data\Skype
2007-12-17 16:39 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent
2007-12-17 03:54 --------- d-----w C:\Program Files\MSN Messenger
2007-12-17 03:53 --------- d-----w C:\Program Files\ltmoh
2007-12-17 03:50 --------- d-----w C:\Program Files\Google
2007-12-17 03:49 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-17 03:47 --------- d-----w C:\Program Files\Apoint2K
2007-12-14 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-13 00:28 --------- d-----w C:\Program Files\QuickTime
2007-12-13 00:28 --------- d-----w C:\Program Files\iPod
2007-12-13 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-06 22:40 --------- d-----w C:\Documents and Settings\John\Application Data\AVG7
2007-12-04 00:43 --------- d-----w C:\Program Files\DivX
2007-12-03 21:02 --------- d-----w C:\Program Files\TVU Player
2007-11-14 14:57 --------- d-----w C:\Program Files\PokerStars
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-03 23:35 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-03 18:39 --------- d-----w C:\Program Files\BitTorrent
2007-10-20 00:56 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-08 19:14 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-11-28 02:13 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-11-21 05:20 2,017,280 ----a-w C:\Program Files\ewpwin264en.exe
2006-10-13 01:32 22,616 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT
2006-02-28 01:15 2,509,704 ----a-w C:\Program Files\fgf171.exe
2006-02-27 23:08 2,417,824 ----a-w C:\Program Files\winzip90sr1.exe
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-16_20.29.55.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2003-08-01 19:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2007-11-12 14:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2007-11-26 16:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2007-06-04 16:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2007-10-30 15:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
- 2006-08-23 2108 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-11-21 15:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 18:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2007-10-18 14:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 19:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 14:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 16:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 13:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 20:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 13:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 13:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 20:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 16:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 16:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-06-08 14:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 15:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 2007-09-17 14:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 23:46]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-08-07 16:07]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-03 13:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 C:\WINDOWS\RTHDCPL.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 14:13]
"NDSTray.exe"="NDSTray.exe" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 12:58 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 17:50 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-12-27 19:34 C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 20:16 C:\WINDOWS\system32\TPSMain.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 14:37]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 17:29 C:\WINDOWS\agrsmmsg.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 15:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 14:41]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-26 16:30]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-13 01:18]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-08 22:09]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-21 21:00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\system32\DRIVERS\DLKRCB.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 00:02:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-02-13 13:42:32 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-02-13 13:42:33 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 19:02:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2007-12-17 19:03:46 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-17 10:43
C:\ComboFix3.txt ... 2007-12-16 20:30
.
2007-12-14 23:18:26 --- E O F ---

[forhockey]

Well done, your logs are clean! There are just a few more things I would like you to do.


The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

----------------------------------------------------------------

Re-Enable Windows Defender

Please re-enable your Windows Defender Real-time Protection.

• Open Windows Defender.
• Click on Tools>Options.
• Scroll down and check "Use real-time protection (recommended)".
• Then, click on the Save button and close Windows Defender.

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
• SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

• Comodo Personal Firewall
• ZoneAlarm
• OutPost Firewall

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• PC SAFETY AND SECURITY
• How Did I Get Infected In The First Place?.
• THE ANTI-SPYWARE TUTORIAL
• STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

[john123]

Awesome,

Thanks a bunch everyone.

Your time and effort was very much appreciated.

Merry christmas.

jd

[forhockey]

You're welcome.

Merry Christmas.