trojan and hijack log

john123 · 12-05-2007, 02:07 PM

hello Forum,

i am hopeful that you are able to help me with the viurs my computer has.

i have got some sort of virus/trojan from messing around on my computer. So this is a drag. my avg picks it up and says it heals it, but it continues to come back. my winpatrol blocks this (C:\WINDOWS\system32\ntos.exe)from the startup menu but it contiunes to attempt to add it self to the start up.

i was not able to run the panda scan but i have pasted the scan from KASPERSKY below.

Below the kaspersky the hijackthis log from DSS

Thank you in advance.
***************************************************
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 04, 2007 11:56:51 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/12/2007
Kaspersky Anti-Virus database records: 472764

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 101701
Number of viruses found 10
Number of infected objects 21
Number of suspicious objects 0
Duration of the scan process 01:50:07

Infected Object Name Virus Name Last Action
C:\21.tmp Infected: Packed.Win32.Tibs.dc skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\John\.housecall6.6\log\engine0.log Object is locked skipped

C:\Documents and Settings\John\.housecall6.6\log\engine0.log.lck Object is locked skipped

C:\Documents and Settings\John\.housecall6.6\log\error0.log Object is locked skipped

C:\Documents and Settings\John\.housecall6.6\log\error0.log.lck Object is locked skipped

C:\Documents and Settings\John\.housecall6.6\log\execution0.log Object is locked skipped

C:\Documents and Settings\John\.housecall6.6\log\execution0.log.lck Object is locked skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-75cc1b73-6cdf2f1d.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-75cc1b73-6cdf2f1d.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-75cc1b73-6cdf2f1d.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-75cc1b73-6cdf2f1d.zip ZIP: infected - 3 skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-2f69e241.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-14e46f0-2f69e241.zip ZIP: infected - 1 skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-4e911c03.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-4e3272d0-4e911c03.zip ZIP: infected - 1 skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-5e7eb989-23531507.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-5e7eb989-23531507.zip ZIP: infected - 1 skipped

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\log\plugin150_04.trace Object is locked skipped

C:\Documents and Settings\John\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\John\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\History\History.IE5\MSHist012007120420071205\index.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Temp\hsperfdata_John\1168 Object is locked skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\JHWQPX2Y\concerts[1].htm Infected: Trojan-Downloader.JS.Remora.bg skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\JHWQPX2Y\msntsrv[1].exe Infected: Trojan-PSW.Win32.LdPinch.eip skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\JHWQPX2Y\msntsrv[2].exe Infected: Backdoor.Win32.IRCBot.asu skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\N8WVL719\file[1].exe Infected: Trojan-Downloader.Win32.Small.gzc skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\N8WVL719\msntsrv[1].exe Infected: Trojan.Win32.Pakes.bsd skipped

C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\YTETX5D3\1[1].htm Infected: Exploit.HTML.IESlice.am skipped

C:\Documents and Settings\John\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\DAEMON Tools\URL2\MEAD-DAEMInst.exe/TR.dll Infected: not-a-virus:AdTool.Win32.WhenU.r skipped

C:\Program Files\DAEMON Tools\URL2\MEAD-DAEMInst.exe CAB: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{0F60396B-0F5E-4E50-B649-25D2D5E11E35}\RP791\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{01015C11-4EE0-4915-B2B1-8EA64F8A5612}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\2291350389.dat Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\ntos.exe Object is locked skipped

C:\WINDOWS\system32\w32drv0.exe Infected: Trojan-PSW.Win32.LdPinch.eip skipped

C:\WINDOWS\system32\w32drv1.exe Infected: Trojan.Win32.Pakes.bsd skipped

C:\WINDOWS\system32\w32drv10.exe Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wsnpoem\audio.dll Object is locked skipped

C:\WINDOWS\system32\wsnpoem\video.dll Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
************************************************

Deckard's System Scanner v20071014.68
Run by John on 2007-12-05 15:47:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
58: 2007-12-05 20:47:15 UTC - RP792 - Deckard's System Scanner Restore Point
57: 2007-12-05 01:27:33 UTC - RP791 - Software Distribution Service 3.0
56: 2007-12-04 02:59:14 UTC - RP790 - SPTD setup V1.50
55: 2007-12-04 00:45:47 UTC - RP789 - Removed EndNote X.0.2 Demonstration Edition
54: 2007-12-03 02:03:35 UTC - RP788 - System Checkpoint

-- First Restore Point --
1: 2007-09-13 14:04:38 UTC - RP735 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as John.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:48:25 PM, on 05/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\John\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\John.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Super Audio Grabber 3.0] "C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe"/a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Super Audio Grabber 3.0] "C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe"/a
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

forhockey · 12-08-2007, 08:25 PM

Hi john123 and welcome to TSF.

Sorry for the delay in looking into your log, as we are extremely busy as you may have noticed. If you still require assistance, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Please run DSS again, and make sure to include the whole log it produces. It seems you have posted an incomplete log.

Thanks

john123 · 12-08-2007, 10:27 PM

Hi,

Thanks for the reply. here is the DSS log. this time it did not produce and extra file, so i have included the extra file from the original scan. i have noticed now that my internet has slowed and also the winpatrol no longer seems to pick up the file i spoke of before, but there does seem to be the odd pop up.

thanks in advance.

john

Deckard's System Scanner v20071014.68
Run by John on 2007-12-09 00:19:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as John.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:19:32 AM, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\John.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Super Audio Grabber 3.0] "C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe"/a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Super Audio Grabber 3.0] "C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe"/a
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n020p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

-- Files created between 2007-11-09 and 2007-12-09 -----------------------------

2007-12-05 15:12:06 0 d-------- C:\HJT
2007-12-05 15:01:40 0 d-------- C:\New Folder (2)
2007-12-04 23:57:22 0 d-------- C:\KAV
2007-12-04 20:26:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 20:26:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 20:19:14 0 d--h----- C:\WINDOWS\PIF
2007-12-04 20

07 109 --ahs---- C:\WINDOWS\system32\2291350389.dat
2007-12-04 20:05:48 46138 --a------ C:\WINDOWS\system32\w32drv10.exe
2007-12-04 20:05:34 0 d--hs---- C:\WINDOWS\system32\wsnpoem
2007-12-03 22:04:35 0 d-------- C:\Program Files\DAEMON Tools
2007-12-03 21:59:15 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-03 19:25:02 0 d-------- C:\Program Files\New Folder 1
2007-12-03 19:24:12 0 d-------- C:\Documents and Settings\John\Application Data\DivX
2007-12-03 19:09:42 0 d-------- C:\XRAYS
2007-12-03 19:09:29 398416 --a------ C:\WINDOWS\system\VBRUN300.DLL <Not Verified; Microsoft Corporation; Visual Basic 3.0>
2007-12-03 19:09:29 7008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-12-03 18:26:47 0 d-------- C:\finalburner
2007-12-03 18:26:47 0 d-------- C:\Documents and Settings\John\Application Data\FinalBurner Video DVD
2007-12-03 17:12:07 43698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 17:12:00 0 d-------- C:\Program Files\AviSynth 2.5
2007-12-03 17:11:52 0 d-------- C:\Program Files\Gabest
2007-12-03 17:07:49 0 d-------- C:\New Folder
2007-12-02 12:40:19 0 d-------- C:\WINDOWS\ASYM
2007-12-02 12:40:19 0 d-------- C:\CLINATLS
2007-11-11 00:59:31 0 d-------- C:\Program Files\PokerStars

-- Find3M Report ---------------------------------------------------------------

2007-12-07 15:51:28 0 d-------- C:\Documents and Settings\John\Application Data\BitTorrent
2007-12-07 13:22:55 0 d-------- C:\Program Files\Eraser
2007-12-07 13:22:55 0 d-------- C:\Documents and Settings\John\Application Data\BitTorrent DNA
2007-12-06 17:40:21 0 d-------- C:\Documents and Settings\John\Application Data\AVG7
2007-12-03 19:47:42 0 d-------- C:\Program Files\Common Files
2007-12-03 19:43:29 0 d-------- C:\Program Files\DivX
2007-12-03 16:02:38 0 d-------- C:\Program Files\TVU Player
2007-11-08 05:01:04 0 d-------- C:\Program Files\BitTorrent_DNA
2007-11-03 18:35:23 0 d-------- C:\Program Files\Full Tilt Poker
2007-11-03 13:39:22 0 d-------- C:\Program Files\BitTorrent
2007-10-19 19:56:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-19 19:54:28 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-10-19 19:54:28 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-10-19 19:54:12 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-19 19:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-19 19:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-19 19:54:10 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-18 04:02:34 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-11 21:07:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-08 14:14:25 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [28/11/2005 12:55 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [28/11/2005 12:52 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [28/11/2005 12:55 AM]
"RTHDCPL"="RTHDCPL.EXE" [09/12/2005 02:49 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 05:43 AM C:\WINDOWS\Alcmtr.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [23/03/2004 09:40 AM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [13/12/2005 07:28 PM]
"@"="" []
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [01/12/2005 02:13 PM]
"NDSTray.exe"="NDSTray.exe" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [06/10/2005 08:20 AM]
"ZoomingHook"="ZoomingHook.exe" [06/06/2005 12:58 PM C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [26/04/2005 07:13 PM]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [01/05/2004 04:45 PM]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [30/11/2005 03:25 PM]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [01/05/2004 04:45 PM]
"TCtryIOHook"="TCtrlIOHook.exe" [05/12/2005 05:50 PM C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [27/12/2005 07:34 PM C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [31/05/2005 08:16 PM C:\WINDOWS\system32\TPSMain.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [17/08/2004 02:37 PM]
"AGRSMMSG"="AGRSMMSG.exe" [14/10/2005 05:29 PM C:\WINDOWS\agrsmmsg.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [05/12/2005 03:37 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [28/11/2005 02:41 PM]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [26/10/2007 04:30 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [13/12/2005 01:18 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/06/2006 10:09 PM]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/02/2006 07:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [30/12/2004 03:32 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 07:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [20/06/2007 11:46 PM]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"Eraser"="C:\Program Files\Eraser\eraser.exe" [07/08/2006 04:07 PM]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [03/11/2007 01:39 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 03:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 4:01:04 AM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [21/12/2005 9:00:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

-- End of Deckard's System Scanner: finished at 2007-12-09 00:19:47 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU T2300 @ 1.66GHz
CPU 1: Genuine Intel(R) CPU T2300 @ 1.66GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 1014.04 MiB / 546.5 MiB
Pagefile Memory (total/avail): 2444.07 MiB / 2045.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.1 MiB

C: is Fixed (NTFS) - 92.97 GiB total, 17.42 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1032GSX - 92.97 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 92.97 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: AVG 7.5.503 v7.5.503 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\kdx\\KDXClient 1.110.exe"="C:\\Program Files\\kdx\\KDXClient 1.110.exe:*:Enabled:KDXClient 1.110"
"C:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"="C:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe:*:Enabled:burst! download engine"
"C:\\Documents and Settings\\John\\Desktop\\KDXClient 1.110.exe"="C:\\Documents and Settings\\John\\Desktop\\KDXClient 1.110.exe:*:Enabled:KDXClient 1.110"
"C:\\Program Files\\TVU Player\\TVUPlayer.exe"="C:\\Program Files\\TVU Player\\TVUPlayer.exe:*:Enabled:TVUPlayer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\SAS\\SAS 9.1\\sas.exe"="C:\\Program Files\\SAS\\SAS 9.1\\sas.exe:*:Enabled:SAS 9.1 for Windows"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\SurfOffline\\SO.exe"="C:\\Program Files\\SurfOffline\\SO.exe:*:Enabled:SurfOffline - offline browser"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Participatory Culture Foundation\\Democracy Player\\Democracy_Downloader.exe"="C:\\Program Files\\Participatory Culture Foundation\\Democracy Player\\Democracy_Downloader.exe:*:Enabled:Democracy_Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\RedLightCenter\\RedlightCenter\\RedLightCenter.exe"="C:\\Program Files\\RedLightCenter\\RedlightCenter\\RedLightCenter.exe:*:Enabled:RedLightCenter"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe"="C:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe:*:Enabled:StationRipperConsole"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\John\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\John
LOGONSERVER=\\COMPUTER2
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\John\LOCALS~1\Temp
TMP=C:\DOCUME~1\John\LOCALS~1\Temp
USERDOMAIN=COMPUTER2
USERNAME=John
USERPROFILE=C:\Documents and Settings\John
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

John (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACLS Simulator 7 Package --> MsiExec.exe /I{1A8D503F-F865-4779-AA93-87F89CBF018D}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
BitTorrent DNA --> "C:\Program Files\BitTorrent_DNA\dna.exe" /UNINSTALL
Canon MP Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F8C6D9-5B55-486A-A322-4E8D87670031}\setup.exe" -l0x9 -Uninstall
Canon MP Toolbox 4.1.1.0.mp10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4669544E-20E4-4E56-8B44-2E6E1200051F}\Setup.exe" -l0x9 -Uninstall
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
CodeDemo --> C:\WINDOWS\iun3405.exe C:\Program Files\MadSciDm\CodeTeam
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dr Watson for Microsoft Windows OneCare Live v0.9.0929.18 --> MsiExec.exe /I{C544F99D-39EF-4E6D-95BE-4E41C1D8C4CB}
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe" -l0x9 DVD-RAM Driver
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EmergiMedDemo --> C:\WINDOWS\iun3405.exe C:\Program Files\MadSciDm
EphPod --> C:\PROGRA~1\EphPod\UNWISE.EXE C:\PROGRA~1\EphPod\INSTALL.LOG
Eraser 5.8 --> "C:\Program Files\Eraser\unins000.exe"
Full Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GSpot Codec Information Appliance --> C:\Program Files\GSpot\Uninstall.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP OrderReminder --> "C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1018
ImageJ 1.36b --> "C:\Program Files\ImageJ\unins000.exe"
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
Intro. to Radiology Images --> C:\UNWISE.EXE C:\INSTALL.LOG
Introduction to Radiology --> C:\PROGRA~1\INTRO_~1\UNWISE.EXE C:\PROGRA~1\INTRO_~1\INSTALL.LOG
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{13616DE2-9795-4910-8C93-80D45AF09658} /l1033
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LaserJet 1018 --> C:\Program Files\Zenographics\{EFE06C45-C1F4-4F2F-82F8-37DEED93DDF4}\setup.exe -u "HPLJInstaller.dll=Hplj1018.inf"
LimeWire 4.10.9 --> "C:\Program Files\LimeWire\uninstall.exe"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (1.5.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.12 (en-US)"
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
On2 VP7 Personal Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD0DDC9E-2ED4-44DD-B461-0EFC126813A0}\Setup.exe" -l0x9
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PokerStars --> "C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Replay Converter 2.8 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Replay Converter\iruninRCV.ini"
SAS 9.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68624FB8-2512-46B5-9664-64366DCCB3EB}\setup.exe" -l0x9 uninstall
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.1) --> C:\Program Files\SAS\Shared Files\JRE\1.4.1\_uninst\Uninst.exe
SD Secure Module --> MsiExec.exe /X{C45F4811-31D5-4786-801D-F79CD06EDD85}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype add-on for IE --> rundll32 "C:\Program Files\Skype\Phone\IEPlugin\SkypeIEPlugin.dll",FriendlyUnregisterServer 0
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SyncToy --> MsiExec.exe /I{15047293-954F-45B2-8A7B-D7226D2B6931}
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4497AFF6-98C4-4F49-B073-F48F42BCBF9E} /l1033
TOSHIBA Accessibility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3A57482F-BEBC-47E4-ADA1-6302403C7E50} /l1033
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Controls --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5BCA8D15-BCB6-421E-9654-238B43456A4F} /l1033
TOSHIBA Fn-esse --> C:\WINDOWS\UnInst32.exe Fn-esse.UNI
TOSHIBA Hardware Setup --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Hotkey Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7900D3A6-A9E8-4954-ACCB-AB15867978BF} /l1033
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE} /l1033
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
Toshiba Tbiosdrv Driver --> C:\PROGRA~1\TOSHIBA\TO3438~1\UNWISE.EXE C:\PROGRA~1\TOSHIBA\TO3438~1\INSTALL.LOG
TOSHIBA Virtual Sound --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\Setup.exe" /uninstall
TOSHIBA Zooming Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{02EED746-8C5A-43C8-BB3D-D29C8B363A4D} /l1033
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe"
TouchPad On/Off Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{80977342-27E8-4FF7-8B6A-D8D89461DA7F} /l1033
TVUPlayer 1.5.12 --> C:\Program Files\TVU Player\uninst.exe
Ultrasound Physics --> C:\PROGRA~1\PHYSIC~2\UNWISE.EXE C:\PROGRA~1\PHYSIC~2\INSTALL.LOG
Ultrasound Physics Images --> C:\UNWISE.EXE C:\INSTALL.LOG
UpToDate --> C:\Program Files\UpToDate\uninst\uninst.exe
USB Storage Driver --> DelUIDrv.exe
USB Storage Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B1F69DF2-8C69-437E-A288-663326C4404A}\Setup.exe" -l0x9
VideoLAN VLC media player 0.8.4a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Defender --> MsiExec.exe /I{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinPatrol --> C:\WINDOWS\uninst.exe -f"C:\Program Files\BillP Studios\WinPatrol\DeIsL1.isu" -c"C:\Program Files\BillP Studios\WinPatrol\_ISREG32.DLL"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
X-Ray Physics --> C:\PROGRA~1\PHYSIC~1\UNWISE.EXE C:\PROGRA~1\PHYSIC~1\INSTALL.LOG
X-Ray Physics Images --> C:\UNWISE.EXE C:\INSTALL.LOG
XviD 1.1 final uninstall --> "C:\Program Files\XviD\unins000.exe"
XviD MPEG4 Video Codec (remove only) --> "C:\WINDOWS\system32\xvid-uninstall.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type5447 / Error
Event Submitted/Written: 12/05/2007 03:46:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16544, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5446 / Error
Event Submitted/Written: 12/05/2007 03:46:11 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type5445 / Error
Event Submitted/Written: 12/05/2007 03:46:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16544, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type5443 / Error
Event Submitted/Written: 12/05/2007 02:45:50 PM
Event ID/Source: 24 / WinMgmt
Event Description:
Event provider attempted to register query "SELECT * FROM __InstanceDeletionEvent WHERE TargetInstance ISA "MPSSVC_Agent" " whose target class "MPSSVC_Agent"
does not exist.
The query will be ignored.

Event Record #/Type5442 / Error
Event Submitted/Written: 12/05/2007 02:45:50 PM
Event ID/Source: 24 / WinMgmt
Event Description:
Event provider attempted to register query "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA "MPSSVC_Agent" " whose target class "MPSSVC_Agent"
does not exist.
The query will be ignored.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type72040 / Error
Event Submitted/Written: 12/05/2007 03:16:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Mozilla Firefox\extensions\{A89AED22-9133-424c-88E7-C8235C5FF302}\components\MeMedia_FF.dll.
Reference error message: The operation completed successfully.
.

Event Record #/Type72039 / Error
Event Submitted/Written: 12/05/2007 03:16:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type72038 / Error
Event Submitted/Written: 12/05/2007 03:16:09 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type72037 / Error
Event Submitted/Written: 12/05/2007 03:09:18 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C3B368D4-C09D-49D8-A7A6-12FACEFA6F38} did not register with DCOM within the required timeout.

Event Record #/Type72020 / Error
Event Submitted/Written: 12/05/2007 06:13:06 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

-- End of Deckard's System Scanner: finished at 2007-12-05 15:49:08 ------------

forhockey · 12-08-2007, 11:34 PM

Hi John123,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Disable Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
After you uncheck this, click on the Save button and close Windows Defender.

Disable WinPatrol

Please disable WinPatrol, as it may hinder the removal of some entries.

Right click the running icon of WinPatrol located in the system tray
Go to Menu > File > Exit and confirm the programs close.

It will automatically restart at next boot.

--------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
Panda Online Scan

john123 · 12-13-2007, 08:53 PM

Hi,

thanks again for the advice, and sorry it took me this long to get back to you. I am wondering if there is an alternative to combofix. i have had it running for about an hour and it does not seem to produce a log. it just opens a window and stays open. how long should it take for it to run.

thanks
john

forhockey · 12-13-2007, 09:44 PM

Hi John,

What stage did ComboFix reach? It shouldn't take any longer than 20mins.

john123 · 12-14-2007, 05:48 AM

Hi

How do i determine what stage it got to.

Essentially it just opened a small window and the window was blue, with only a small blinking cursor at the top left. there was never any prompts. i left it on for a long time as i had read that it would take at least 20 minutes prior to starting.
thanks
john

forhockey · 12-14-2007, 11:53 AM

Did you get as far as the disclaimer? That is considered a prompt.

But you said you had read on the ComboFix window that it would not take longer than 10 mins right?

Next, it would say it was scanning for infected files, and at the bottom it would say what stage it was completed?

john123 · 12-14-2007, 12:02 PM

hi,

no i never got to that stage. the window opened up and it was that blue colour but there was no text, just a blinking cursor. I think that when it first opened there was actually a second window that popped up, but it was there only for less than a partial second. i did not click my mouse or push 1 or 2, simply the blue second window popped up and did nothing. no text. the 10 minutes i had read on the internet when i was searching for problems that could occur with combofix. it did not reboot at any point.

Thanks

john

forhockey · 12-14-2007, 12:10 PM

Can you delete ComboFix.exe from your desktop, and download a new copy from either links below please.

Make sure you've disabled winpatrol and Windows Defender. and follow the instructions below:

Download Combofix from Here or Alternate link

**Save it directly to your desktop**
Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon.
Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan.
When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------
Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

--------------------------------------------------------------

john123 · 12-15-2007, 12:21 PM

hi,

thanks for the new combofix links. here is what happended when i tried to use them. the first link did the same thing as i described before, a window opened and nothing else progressed.

The second link only partially worked.

When i double clicked on it. the program started and it said that it was preparing run. the it said stack over flow. and a window warning came up which said: swreg.cfexe - application error. the instruction at "0x7c9111e0" referenced memory at "0x00200066". the memory could not be "read". click on ok to terminate the program.

when i clicked on the ok. the program continued to run and went through the early stages , but it got stuck at the Deleting files/folders stage.

the only log produced was.

ComboFix 07-12-15.1 - John 2007-12-15 19:56:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.555 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.

Any suggestions for then next move?

Thanks
John

forhockey · 12-15-2007, 12:37 PM

Hi john123,

ComboFix had another update, which should fix it getting stuck at Deleting files/folders stage.

Delete combofix.exe and download a new copy. Run it again with the same instructions.

john123 · 12-15-2007, 01:23 PM

hi again,

so this time after i dowloaded the new combofix. a similar error message as before appeared. when i clicked ok combofix continued to opperate and my computer re-booted, but it produced the same log.

ComboFix 07-12-15.5 - John 2007-12-16 15:11:15.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.575 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
* Created a new restore point
.

so i m not sure if this is the complete opperation??

is it? and shall i now run the panda scan?

john

tetonbob · 12-15-2007, 04:53 PM

Download & run this tool > http://download.bleepingcomputer.com/sUBs/grab.exe .

Grab.exe is a tool for collecting data from the C:\ComboFIx + C:\QooBox folders. It will create a zip file on Desktop named _sUBs_.zip

Please visit this site:

http://www.bleepingcomputer.com/subm....php?channel=4
In the Link to topic where this file was requested: area, copy and paste this:

http://www.techsupportforum.com/security-center/hijackthis-log-help/200134-trojan-hijack-log.html#post1213667
Please use the Browse button to navigate to the _sUBs_.zip file on your desktop
Then click Send File.
Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and continue with the steps below.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

john123 · 12-15-2007, 05:07 PM

Okay. and i have sent in the grab file.

here is the hjack log.

cheers
john

Deckard's System Scanner v20071014.68
Run by John on 2007-12-16 19:04:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as John.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 19:04, on 2007-12-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\John.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Super Audio Grabber 3.0] "C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe"/a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Super Audio Grabber 3.0] "C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe"/a
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n020p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

-- Files created between 2007-11-16 and 2007-12-16 -----------------------------

2007-12-13 21:49:12 0 d-------- C:\Program Files\Windows Defender
2007-12-12 19:28:48 0 d-------- C:\Program Files\iTunes
2007-12-12 19:26:50 0 d-------- C:\Program Files\Apple Software Update
2007-12-12 19:26:26 0 d-------- C:\Program Files\Common Files\Apple
2007-12-12 19:26:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-05 15:01:40 0 d-------- C:\New Folder (2)
2007-12-04 23:57:22 0 d-------- C:\KAV
2007-12-04 20:26:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 20:26:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 20:19:14 0 d--h----- C:\WINDOWS\PIF
2007-12-04 20

07 109 --ahs---- C:\WINDOWS\system32\2291350389.dat
2007-12-03 22:04:35 0 d-------- C:\Program Files\DAEMON Tools
2007-12-03 21:59:15 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-03 19:25:02 0 d-------- C:\Program Files\New Folder 1
2007-12-03 19:24:12 0 d-------- C:\Documents and Settings\John\Application Data\DivX
2007-12-03 19:09:42 0 d-------- C:\XRAYS
2007-12-03 19:09:29 398416 --a------ C:\WINDOWS\system\VBRUN300.DLL <Not Verified; Microsoft Corporation; Visual Basic 3.0>
2007-12-03 19:09:29 7008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-12-03 18:26:47 0 d-------- C:\finalburner
2007-12-03 18:26:47 0 d-------- C:\Documents and Settings\John\Application Data\FinalBurner Video DVD
2007-12-03 17:12:07 43698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 17:12:00 0 d-------- C:\Program Files\AviSynth 2.5
2007-12-03 17:11:52 0 d-------- C:\Program Files\Gabest
2007-12-03 17:07:49 0 d-------- C:\New Folder
2007-12-02 12:40:19 0 d-------- C:\WINDOWS\ASYM
2007-12-02 12:40:19 0 d-------- C:\CLINATLS

-- Find3M Report ---------------------------------------------------------------

2007-12-16 18:59:22 0 d-------- C:\Documents and Settings\John\Application Data\BitTorrent DNA
2007-12-16 17:00:15 0 d-------- C:\Program Files\Eraser
2007-12-16 15:04:51 0 d-------- C:\Documents and Settings\John\Application Data\Skype
2007-12-12 19:28:54 0 d-------- C:\Program Files\iPod
2007-12-12 19:28:07 0 d-------- C:\Program Files\QuickTime
2007-12-12 19:26:26 0 d-------- C:\Program Files\Common Files
2007-12-12 19:02:51 0 d-------- C:\Documents and Settings\John\Application Data\BitTorrent
2007-12-09 13:10:22 0 d-------- C:\Documents and Settings\John\Application Data\Adobe
2007-12-06 17:40:21 0 d-------- C:\Documents and Settings\John\Application Data\AVG7
2007-12-03 19:43:29 0 d-------- C:\Program Files\DivX
2007-12-03 16:02:38 0 d-------- C:\Program Files\TVU Player
2007-11-14 09:57:14 0 d-------- C:\Program Files\PokerStars
2007-11-08 05:01:04 0 d-------- C:\Program Files\BitTorrent_DNA
2007-11-03 18:35:23 0 d-------- C:\Program Files\Full Tilt Poker
2007-11-03 13:39:22 0 d-------- C:\Program Files\BitTorrent
2007-10-19 19:56:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-19 19:54:28 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-10-19 19:54:28 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-10-19 19:54:12 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-19 19:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-19 19:54:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-19 19:54:10 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-18 04:02:34 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-08 14:14:25 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 C:\WINDOWS\RTHDCPL.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 14:13]
"NDSTray.exe"="NDSTray.exe" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 12:58 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 17:50 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-12-27 19:34 C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 20:16 C:\WINDOWS\system32\TPSMain.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 14:37]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 17:29 C:\WINDOWS\agrsmmsg.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 15:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 14:41]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-26 16:30]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-13 01:18]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-08 22:09]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 07:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 23:46]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-08-07 16:07]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-03 13:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-21 21:00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

*Newly Created Service* - TMCOMM

-- End of Deckard's System Scanner: finished at 2007-12-16 19:05:13 ------------

tetonbob · 12-15-2007, 05:13 PM

Open HijackThis (NOT Deckard's System Scanner) and click on 'Do a System Scan Only'. Check the following entry and click Fix Checked

O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

Close HijackThis now.

---------------------------------------------------------------------------------------------

Run ComboFix once again, this time by double clicking on ComboFix.exe

It should run and produce a log now.

john123 · 12-15-2007, 06:34 PM

Nice one.

here is the combofix log.

Thanks

ComboFix 07-12-15.5 - John 2007-12-16 20:28:39.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.484 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-16 20:25 . 2007-12-16 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-16 18:15 . 2007-12-04 20:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-13 21:49 . 2007-12-13 21:49 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-12 19:28 . 2007-12-12 19:29 <DIR> d-------- C:\Program Files\iTunes
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-12 19:11 . 2007-12-16 15:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-12 19:11 . 2007-12-12 19:11 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-05 15:32 . 2007-12-05 15:32 <DIR> d-------- C:\Deckard
2007-12-05 15:01 . 2007-12-05 15:01 <DIR> d-------- C:\New Folder (2)
2007-12-04 23:57 . 2007-12-04 23:57 <DIR> d-------- C:\KAV
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 20:19 . 2007-12-04 20:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-04 20:06 . 2007-12-04 20:07 109 --ahs---- C:\WINDOWS\system32\2291350389.dat
2007-12-04 20:05 . 2007-12-04 20:05 2 --a------ C:\22.tmp
2007-12-03 22:04 . 2007-12-03 22:10 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-03 21:59 . 2007-12-03 21:59 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-03 19:25 . 2007-12-03 19:25 <DIR> d-------- C:\Program Files\New Folder 1
2007-12-03 19:24 . 2007-12-03 19:24 <DIR> d-------- C:\Documents and Settings\John\Application Data\DivX
2007-12-03 19:23 . 2007-10-19 19:56 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-12-03 19:23 . 2007-10-19 19:56 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-03 19:23 . 2007-10-19 19:56 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-03 19:09 . 2007-12-03 19:09 <DIR> d-------- C:\XRAYS
2007-12-03 19:09 . 1993-05-12 00:00 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2007-12-03 19:09 . 1993-04-28 00:00 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\finalburner
2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\FinalBurner Video DVD
2007-12-03 17:12 . 2007-12-03 17:12 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-03 17:12 . 2007-12-03 17:12 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-12-03 17:11 . 2007-12-03 18:53 <DIR> d-------- C:\Program Files\Gabest
2007-12-03 17:07 . 2007-12-03 17:07 <DIR> d-------- C:\New Folder
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\WINDOWS\ASYM
2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\CLINATLS
2007-12-02 12:40 . 1998-08-24 16:24 109 --a------ C:\WINDOWS\TB50.INI
2007-12-02 12:40 . 2007-12-02 12:40 0 --a------ C:\WINDOWS\asym.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 01:29 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent DNA
2007-12-16 22:00 --------- d-----w C:\Program Files\Eraser
2007-12-16 20:04 --------- d-----w C:\Documents and Settings\John\Application Data\Skype
2007-12-14 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-13 00:28 --------- d-----w C:\Program Files\QuickTime
2007-12-13 00:28 --------- d-----w C:\Program Files\iPod
2007-12-13 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-13 00:02 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent
2007-12-06 22:40 --------- d-----w C:\Documents and Settings\John\Application Data\AVG7
2007-12-04 00:43 --------- d-----w C:\Program Files\DivX
2007-12-03 21:02 --------- d-----w C:\Program Files\TVU Player
2007-11-14 14:57 --------- d-----w C:\Program Files\PokerStars
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 10:01 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-11-03 23:35 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-03 18:39 --------- d-----w C:\Program Files\BitTorrent
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-08 19:14 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-11-28 02:13 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-11-21 05:20 2,017,280 ----a-w C:\Program Files\ewpwin264en.exe
2006-10-13 01:32 22,616 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT
2006-02-28 01:15 2,509,704 ----a-w C:\Program Files\fgf171.exe
2006-02-27 23:08 2,417,824 ----a-w C:\Program Files\winzip90sr1.exe
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 23:46]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-08-07 16:07]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-03 13:39]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 C:\WINDOWS\RTHDCPL.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 14:13]
"NDSTray.exe"="NDSTray.exe" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 12:58 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 17:50 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-12-27 19:34 C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 20:16 C:\WINDOWS\system32\TPSMain.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 14:37]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 17:29 C:\WINDOWS\agrsmmsg.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 15:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 14:41]
"CFSServ.exe"="CFSServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-26 16:30]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-13 01:18]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-08 22:09]
"Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 16:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-21 21:00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\system32\DRIVERS\DLKRCB.SYS
S4 WMPNetworkSvcaspnet_state;Windows Media Player Network Sharing Service WMPNetworkSvcaspnet_state;C:\WINDOWS\system32\w32drv10.exe srv

*Newly Created Service* - TMCOMM
.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 20:18:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-02-13 13:42:32 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-02-13 13:42:33 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 20:29:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2007-12-16 20:30:36
.
2007-12-14 23:18:26 --- E O F ---

tetonbob · 12-15-2007, 06:40 PM

Ok, let's have you perform the online scan at Panda forhockey wanted you to run. He'll be back with you after it's posted.

john123 · 12-15-2007, 10:09 PM

Okay,

attached is the panda scan.

thanks for the help everyone.

jd

forhockey · 12-16-2007, 01:04 AM

Thanks tetonbob for filling in.

John,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Again we have to disable some real-time protection, as it may prevent some of these fixes from happening.

Disable WinPatrol

Please disable WinPatrol, as it may hinder the removal of some entries.

Right click the running icon of WinPatrol located in the system tray
Go to Menu > File > Exit and confirm the programs close.

It will automatically restart at next boot.

--------------------------------------------------------------

*** Close any open windows and web browsers ***

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\2291350389.dat
C:\22.tmp

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also update me on how your system is behaving

12-08-2007, 08:25 PM	#2 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,930 OS: Windows 7 Ultimate	Re: trojan and hijack log Hi john123 and welcome to TSF. Sorry for the delay in looking into your log, as we are extremely busy as you may have noticed. If you still require assistance, then please carry out my instructions. Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription. -------------------------------------------------------------- Please run DSS again, and make sure to include the whole log it produces. It seems you have posted an incomplete log. Thanks __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

12-08-2007, 11:34 PM	#4 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,930 OS: Windows 7 Ultimate	Re: trojan and hijack log Hi John123, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. -------------------------------------------------------------- Disable Windows Defender Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools>Options. Scroll down and uncheck "Use real-time protection (recommended)". After you uncheck this, click on the Save button and close Windows Defender. Disable WinPatrol Please disable WinPatrol, as it may hinder the removal of some entries. Right click the running icon of WinPatrol located in the system tray Go to Menu > File > Exit and confirm the programs close. It will automatically restart at next boot. -------------------------------------------------------------- Download combofix from here Save it directly to your desktop Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply -------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------- Please reply back with the following logs: C:\ComboFix.txt Panda Online Scan __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

12-13-2007, 08:53 PM	#5 (permalink)
john123 Registered User Join Date: Dec 2007 Posts: 15 OS: xp	Re: trojan and hijack log Hi, thanks again for the advice, and sorry it took me this long to get back to you. I am wondering if there is an alternative to combofix. i have had it running for about an hour and it does not seem to produce a log. it just opens a window and stays open. how long should it take for it to run. thanks john

12-13-2007, 09:44 PM	#6 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,930 OS: Windows 7 Ultimate	Re: trojan and hijack log Hi John, What stage did ComboFix reach? It shouldn't take any longer than 20mins. __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

12-14-2007, 05:48 AM	#7 (permalink)
john123 Registered User Join Date: Dec 2007 Posts: 15 OS: xp	Re: trojan and hijack log Hi How do i determine what stage it got to. Essentially it just opened a small window and the window was blue, with only a small blinking cursor at the top left. there was never any prompts. i left it on for a long time as i had read that it would take at least 20 minutes prior to starting. thanks john Last edited by john123; 12-14-2007 at 05:50 AM.

12-14-2007, 11:53 AM	#8 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,930 OS: Windows 7 Ultimate	Re: trojan and hijack log Did you get as far as the disclaimer? That is considered a prompt. But you said you had read on the ComboFix window that it would not take longer than 10 mins right? Next, it would say it was scanning for infected files, and at the bottom it would say what stage it was completed? __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

12-14-2007, 12:02 PM	#9 (permalink)
john123 Registered User Join Date: Dec 2007 Posts: 15 OS: xp	Re: trojan and hijack log hi, no i never got to that stage. the window opened up and it was that blue colour but there was no text, just a blinking cursor. I think that when it first opened there was actually a second window that popped up, but it was there only for less than a partial second. i did not click my mouse or push 1 or 2, simply the blue second window popped up and did nothing. no text. the 10 minutes i had read on the internet when i was searching for problems that could occur with combofix. it did not reboot at any point. Thanks john

12-14-2007, 12:10 PM	#10 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,930 OS: Windows 7 Ultimate	Re: trojan and hijack log Can you delete ComboFix.exe from your desktop, and download a new copy from either links below please. Make sure you've disabled winpatrol and Windows Defender. and follow the instructions below: Download Combofix from Here or Alternate link Save it directly to your desktop Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon. Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan. When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------- Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. -------------------------------------------------------------- __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

12-15-2007, 12:21 PM	#11 (permalink)
john123 Registered User Join Date: Dec 2007 Posts: 15 OS: xp	Re: trojan and hijack log hi, thanks for the new combofix links. here is what happended when i tried to use them. the first link did the same thing as i described before, a window opened and nothing else progressed. The second link only partially worked. When i double clicked on it. the program started and it said that it was preparing run. the it said stack over flow. and a window warning came up which said: swreg.cfexe - application error. the instruction at "0x7c9111e0" referenced memory at "0x00200066". the memory could not be "read". click on ok to terminate the program. when i clicked on the ok. the program continued to run and went through the early stages , but it got stuck at the Deleting files/folders stage. the only log produced was. ComboFix 07-12-15.1 - John 2007-12-15 19:56:37.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.555 [GMT -5:00] Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe . Any suggestions for then next move? Thanks John

12-15-2007, 12:37 PM	#12 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,930 OS: Windows 7 Ultimate	Re: trojan and hijack log Hi john123, ComboFix had another update, which should fix it getting stuck at Deleting files/folders stage. Delete combofix.exe and download a new copy. Run it again with the same instructions. __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

12-15-2007, 01:23 PM	#13 (permalink)
john123 Registered User Join Date: Dec 2007 Posts: 15 OS: xp	Re: trojan and hijack log hi again, so this time after i dowloaded the new combofix. a similar error message as before appeared. when i clicked ok combofix continued to opperate and my computer re-booted, but it produced the same log. ComboFix 07-12-15.5 - John 2007-12-16 15:11:15.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.575 [GMT -5:00] Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe * Created a new restore point . so i m not sure if this is the complete opperation?? is it? and shall i now run the panda scan? john

12-15-2007, 05:13 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Re: trojan and hijack log Open HijackThis (NOT Deckard's System Scanner) and click on 'Do a System Scan Only'. Check the following entry and click Fix Checked O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat Close HijackThis now. --------------------------------------------------------------------------------------------- Run ComboFix once again, this time by double clicking on ComboFix.exe It should run and produce a log now. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 12-15-2007 at 05:14 PM.

12-15-2007, 06:34 PM	#17 (permalink)
john123 Registered User Join Date: Dec 2007 Posts: 15 OS: xp	Re: trojan and hijack log Nice one. here is the combofix log. Thanks ComboFix 07-12-15.5 - John 2007-12-16 20:28:39.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.484 [GMT -5:00] Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\WINDOWS\system32\5_exception.nls C:\WINDOWS\system32\wsnpoem C:\WINDOWS\system32\wsnpoem\audio.dll C:\WINDOWS\system32\wsnpoem\video.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NPF -------\runtime ((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 ))))))))))))))))))))))))))))))) . 2007-12-16 20:25 . 2007-12-16 20:25 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-16 18:15 . 2007-12-04 20:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-12-13 21:49 . 2007-12-13 21:49 <DIR> d-------- C:\Program Files\Windows Defender 2007-12-12 19:28 . 2007-12-12 19:29 <DIR> d-------- C:\Program Files\iTunes 2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Common Files\Apple 2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Program Files\Apple Software Update 2007-12-12 19:26 . 2007-12-12 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2007-12-12 19:11 . 2007-12-16 15:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-12 19:11 . 2007-12-12 19:11 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-05 15:32 . 2007-12-05 15:32 <DIR> d-------- C:\Deckard 2007-12-05 15:01 . 2007-12-05 15:01 <DIR> d-------- C:\New Folder (2) 2007-12-04 23:57 . 2007-12-04 23:57 <DIR> d-------- C:\KAV 2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-04 20:26 . 2007-12-04 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-04 20:19 . 2007-12-04 20:19 <DIR> d--h----- C:\WINDOWS\PIF 2007-12-04 20:06 . 2007-12-04 20:07 109 --ahs---- C:\WINDOWS\system32\2291350389.dat 2007-12-04 20:05 . 2007-12-04 20:05 2 --a------ C:\22.tmp 2007-12-03 22:04 . 2007-12-03 22:10 <DIR> d-------- C:\Program Files\DAEMON Tools 2007-12-03 21:59 . 2007-12-03 21:59 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-12-03 19:25 . 2007-12-03 19:25 <DIR> d-------- C:\Program Files\New Folder 1 2007-12-03 19:24 . 2007-12-03 19:24 <DIR> d-------- C:\Documents and Settings\John\Application Data\DivX 2007-12-03 19:23 . 2007-10-19 19:56 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-12-03 19:23 . 2007-10-19 19:56 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-12-03 19:23 . 2007-10-19 19:56 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-12-03 19:09 . 2007-12-03 19:09 <DIR> d-------- C:\XRAYS 2007-12-03 19:09 . 1993-05-12 00:00 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL 2007-12-03 19:09 . 1993-04-28 00:00 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL 2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\finalburner 2007-12-03 18:26 . 2007-12-03 18:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\FinalBurner Video DVD 2007-12-03 17:12 . 2007-12-03 17:12 <DIR> d-------- C:\Program Files\AviSynth 2.5 2007-12-03 17:12 . 2007-12-03 17:12 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe 2007-12-03 17:11 . 2007-12-03 18:53 <DIR> d-------- C:\Program Files\Gabest 2007-12-03 17:07 . 2007-12-03 17:07 <DIR> d-------- C:\New Folder 2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\WINDOWS\ASYM 2007-12-02 12:40 . 2007-12-02 12:40 <DIR> d-------- C:\CLINATLS 2007-12-02 12:40 . 1998-08-24 16:24 109 --a------ C:\WINDOWS\TB50.INI 2007-12-02 12:40 . 2007-12-02 12:40 0 --a------ C:\WINDOWS\asym.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-17 01:29 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent DNA 2007-12-16 22:00 --------- d-----w C:\Program Files\Eraser 2007-12-16 20:04 --------- d-----w C:\Documents and Settings\John\Application Data\Skype 2007-12-14 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2007-12-13 00:28 --------- d-----w C:\Program Files\QuickTime 2007-12-13 00:28 --------- d-----w C:\Program Files\iPod 2007-12-13 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-12-13 00:02 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent 2007-12-06 22:40 --------- d-----w C:\Documents and Settings\John\Application Data\AVG7 2007-12-04 00:43 --------- d-----w C:\Program Files\DivX 2007-12-03 21:02 --------- d-----w C:\Program Files\TVU Player 2007-11-14 14:57 --------- d-----w C:\Program Files\PokerStars 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-08 10:01 --------- d-----w C:\Program Files\BitTorrent_DNA 2007-11-03 23:35 --------- d-----w C:\Program Files\Full Tilt Poker 2007-11-03 18:39 --------- d-----w C:\Program Files\BitTorrent 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-10-20 00:56 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe 2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll 2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-10-08 19:14 737,280 ----a-w C:\WINDOWS\iun6002.exe 2006-11-28 02:13 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe 2006-11-21 05:20 2,017,280 ----a-w C:\Program Files\ewpwin264en.exe 2006-10-13 01:32 22,616 ----a-w C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT 2006-02-28 01:15 2,509,704 ----a-w C:\Program Files\fgf171.exe 2006-02-27 23:08 2,417,824 ----a-w C:\Program Files\winzip90sr1.exe 2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 23:46] "Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" [] "Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-08-07 16:07] "BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-03 13:39] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 15:54] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55] "RTHDCPL"="RTHDCPL.EXE" [2005-12-09 02:49 C:\WINDOWS\RTHDCPL.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 09:40] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 19:28] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 14:13] "NDSTray.exe"="NDSTray.exe" [] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 08:20] "ZoomingHook"="ZoomingHook.exe" [2005-06-06 12:58 C:\WINDOWS\system32\ZoomingHook.exe] "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13] "HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 16:45] "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25] "SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 16:45] "TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 17:50 C:\WINDOWS\system32\TCtrlIOHook.exe] "TFncKy"="TFncKy.exe" [] "TDispVol"="TDispVol.exe" [2005-12-27 19:34 C:\WINDOWS\system32\TDispVol.exe] "TPSMain"="TPSMain.exe" [2005-05-31 20:16 C:\WINDOWS\system32\TPSMain.exe] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 14:37] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 17:29 C:\WINDOWS\agrsmmsg.exe] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 15:37] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 14:41] "CFSServ.exe"="CFSServ.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-26 16:30] "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2005-12-13 01:18] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-08 22:09] "Super Audio Grabber 3.0"="C:\Program Files\Ailansoft\Super Audio Grabber 3.0\SAGrab.exe/a" [] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 16:30] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-21 21:00:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser] C:\Program Files\Eraser\eraser.exe -hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys S3 DLKRCB;D-Link DFE-690TXD CardBus PC Card;C:\WINDOWS\system32\DRIVERS\DLKRCB.SYS S4 WMPNetworkSvcaspnet_state;Windows Media Player Network Sharing Service WMPNetworkSvcaspnet_state;C:\WINDOWS\system32\w32drv10.exe srv Newly Created Service - TMCOMM . Contents of the 'Scheduled Tasks' folder "2007-12-16 20:18:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2006-02-13 13:42:32 C:\WINDOWS\Tasks\Registration reminder 2.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe "2006-02-13 13:42:33 C:\WINDOWS\Tasks\Registration reminder 3.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-16 20:29:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156] -> C:\WINDOWS\system32\TDispVol.dll . Completion time: 2007-12-16 20:30:36 . 2007-12-14 23:18:26 --- E O F ---

12-15-2007, 06:40 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,179 OS: 2000 Pro; XP Pro; XP Home	Re: trojan and hijack log Ok, let's have you perform the online scan at Panda forhockey wanted you to run. He'll be back with you after it's posted. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009