spyware redirect to http://www.asiuoqgusdbaksd.com/

[donackle]

I have cleaned a bunch of spyware but still have some lingering effects I can't get to any anti-virus sites, even to this site. Page cannot be displayed. Here's the dss:

Deckard's System Scanner v20071014.68
Run by welcome on 2008-06-04 09:26:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
66: 2008-06-04 15:26:46 UTC - RP194 - Deckard's System Scanner Restore Point
65: 2008-06-04 15:07:48 UTC - RP193 - Removed MyConnect Special Offer
64: 2008-06-04 14:51:34 UTC - RP192 - Software Distribution Service 3.0
63: 2008-06-03 20:28:06 UTC - RP191 - Removed SUPERAntiSpyware Free Edition
62: 2008-06-03 14:14:47 UTC - RP190 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-25 05:32:02 UTC - RP129 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-04 09:28:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\iprntctl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\welcome\Application Data\U3\02B01C6003137B65\Launchpad.exe
C:\Documents and Settings\welcome\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,
O2 - BHO: (no name) - {151A33CC-24EF-4488-A570-DC57DD997B4D} - (no file)
O2 - BHO: (no name) - {68E0FC03-A505-4A27-9093-E85C4E7C7741} - (no file)
O2 - BHO: (no name) - {86F0E17E-F148-4388-96E2-106823D3DDFB} - (no file)
O2 - BHO: (no name) - {E5D21730-A213-4422-AE37-6F701AA64B47} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPrint Tray] "C:\WINDOWS\system32\iprntctl.exe" TRAY_ICON
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://denverdigitalimaging.lifepics...eUploader3.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - c:\winself.exe service
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 9803 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 nipplpt2 (Novell iCapture Lpt Redirector 2) - c:\windows\system32\drivers\nipplpt.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys <Not Verified; Toshiba Corporation; Toshiba Notebook PC SMI Service>
R3 Tvs (TOSHIBA Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>

S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\idsdefs\20080523.001\symidsco.sys (file missing)
S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TAPPSRV (TOSHIBA Application Service) - "c:\program files\toshiba\toshiba applet\tappsrv.exe" <Not Verified; TOSHIBA Corp.; TOSHIBA TAPPSRV>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 MsSecurity1.209.4 (MsSecurity Updated) - c:\winself.exe service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-04 08:51:43 0 d-------- C:\WINDOWS\LastGood
2008-06-03 16:29:40 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 16:29:35 0 d-------- C:\Program Files\SpywareBlaster
2008-06-03 15:40:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-03 07:16:37 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-03 07:16:30 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-03 07:16:27 0 d-------- C:\Program Files\CCleaner
2008-06-02 22:26:11 0 d-------- C:\Documents and Settings\welcome\Application Data\U3
2008-06-02 21:24:16 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-02 18:56:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-02 18:42:26 711974 --ahs---- C:\WINDOWS\system32\QrYbefii.ini2
2008-06-02 18:13:41 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-02 18:10:26 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-02 18:10:26 0 d-------- C:\Documents and Settings\welcome\Application Data\SUPERAntiSpyware.com
2008-06-02 16:41:02 0 d-------- C:\WINDOWS\network diagnostic
2008-06-02 16:28:11 0 d-------- C:\e2118555e18d80a669db8f
2008-06-02 15:44:50 714028 --ahs---- C:\WINDOWS\system32\gffPqqru.ini2
2008-06-02 13:43:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 13:39:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-02 13:34:40 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-02 13:10:23 0 d--hs---- C:\WINDOWS\CSC
2008-06-02 11:57:53 0 d-------- C:\WINDOWS\Recent
2008-06-02 11:57:52 0 d-------- C:\Documents and Settings\NetworkService\Recent
2008-06-02 11:57:52 0 d-------- C:\Documents and Settings\LocalService\Recent
2008-06-02 11:57:52 0 d-------- C:\Documents and Settings\All Users\Recent
2008-06-02 10:56:42 81549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-02 10:56:41 82061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-02 10:55:20 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-02 10:55:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 10:55:11 52256 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-02 10:55:11 2503456 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-02 10:34:10 0 d-------- C:\KAV
2008-06-02 10:15:54 32768 --a------ C:\WINDOWS\system32\nipplgex.dll <Not Verified; Novell, Inc.; Novell iPrint>
2008-06-02 10:15:52 45056 --a------ C:\WINDOWS\system32\iprntlgn.exe <Not Verified; Novell, Inc.; Novell iPrint>
2008-05-29 22:08:12 2560 --a------ C:\WINDOWS\system32\icxxnosr.exe
2008-05-29 22:02:11 713490 --ahs---- C:\WINDOWS\system32\UFfMmUtv.ini2
2008-05-26 00:07:23 2560 --a------ C:\WINDOWS\system32\mywqppkb.exe
2008-05-26 00:05:53 903779 --ahs---- C:\WINDOWS\system32\GgMStBeg.ini2
2008-05-25 20:18:01 901426 --ahs---- C:\WINDOWS\system32\SYcJknnn.ini2
2008-05-24 23:33:50 2560 --a------ C:\WINDOWS\system32\ybmqrpeh.exe
2008-05-24 23:33:23 0 d-------- C:\Documents and Settings\welcome\Application Data\uTorrent
2008-05-24 23:32:45 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-24 23:32:44 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-24 23:31:51 902938 --ahs---- C:\WINDOWS\system32\SvvwHkkj.ini2
2008-05-24 23:31:46 101888 -rahs---- C:\WINDOWS\system32\acledite.exe
2008-05-24 23:30:49 0 d-------- C:\Program Files\uTorrent
2008-05-24 13:39:26 0 d-------- C:\WINDOWS\system32\vntiho06
2008-05-24 13:39:26 0 d-------- C:\Temp
2008-05-22 13:23:40 229516 --a------ C:\WINDOWS\system32\000090.exe
2008-05-19 22:51:37 0 d-------- C:\Documents and Settings\welcome\Application Data\Viewpoint
2008-05-19 22:00:44 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-16 23:29:20 226698 --a------ C:\WINDOWS\system32\000060.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-04 09:07:50 0 d-------- C:\Program Files\TOSHIBA
2008-06-03 14:28:28 0 d-------- C:\Program Files\Common Files
2008-06-03 03:07:32 0 d-------- C:\Program Files\DIGStream
2008-06-02 20:23:44 0 d-------- C:\Program Files\Yahoo!
2008-06-02 17:24:18 0 d-------- C:\Program Files\Metamail Inc
2008-06-02 13:47:26 0 d-------- C:\Program Files\Toshiba Games
2008-06-02 10:59:11 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-25 20:15:31 0 d-------- C:\Documents and Settings\welcome\Application Data\ZoomBrowser EX
2008-05-19 22:01:18 0 d-------- C:\Program Files\Viewpoint
2008-04-04 15:45:48 23 --a------ C:\WINDOWS\popcinfot.dat
2008-04-04 12:00:24 0 --a------ C:\WINDOWS\popcreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{151A33CC-24EF-4488-A570-DC57DD997B4D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68E0FC03-A505-4A27-9093-E85C4E7C7741}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86F0E17E-F148-4388-96E2-106823D3DDFB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5D21730-A213-4422-AE37-6F701AA64B47}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/27/2005 11:55 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/27/2005 11:55 PM]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [01/05/2006 04:02 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [12/16/2005 02:34 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12/16/2005 02:32 AM]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [11/30/2005 02:25 PM]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [04/26/2005 06:13 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [03/17/2005 07:37 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [12/05/2005 01:37 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [11/28/2005 12:41 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [03/08/2003 10:30 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [09/06/2007 10:45 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [09/06/2007 10:45 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [11/19/2007 02:40 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/10/2004 06:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [12/30/2004 02:32 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 12:05:26 AM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/15/2006 10:31:42 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifebYrQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jqX42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ovC20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qyG53.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^welcome^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\welcome\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate]
C:\WINDOWS\system32\acledite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\welcome\Application Data\Microsoft\dtsc\12815.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7a4c63f-f8f2-11da-a4f4-806d6172696f}]
AutoRun\command- D:\Programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af554151-3100-11dd-a687-00038a000015}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-06-04 09:34:30 ------------

[Glaswegian]

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.



We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that ComboFix is saved directly to your desktop**

Please ensure you read this guide carefully and install the Recovery Console. This will help us restore your system in the event of a serious crash. It's very simple to complete and will only take a few moments. A quick guide is detailed below.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.

Once you've downloaded the appropriate RC setup package for your system to the desktop, follow these instructions:

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the log C:\ComboFix.txt along with a fresh HijackThis log for further review.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

[donackle]

The computer with the problems has wiindows XP media center edition installed. I don't find a link for that.

Bryan

[donackle]

Also, I went ahead and installed the recovery console from the cd. I'm not sure what file I'm supposed to be dragging onto the ComboFix Icon. The Winnt32.exe?

[donackle]

Oh, and when I double-click on the ComboFix.exe icon on the desktop, nothing happens.

[donackle]

I'm not really following you. I followed the link to the bleepingcomputer site, downloaded combofix, then followed the link on how to install and use the windows recovery console. I installed the recovery console from cd. Then I'm told to drag the file on to the combofix icon. What file? Winnt32.exe? By the way, nothing happens when I double-click the combofix icon on the damaged pc. It has a funny way of resisting attempts to fix it...

Bryan

[donackle]

When you say it is important combofix is saved directly to your desktop, do you mean it must be saved directly from the web page to the desktop? Because I can't get to the web page on the damaged computer. That's the problem. I saved it to another computer and copied it to the desktop. Would that cause it to fail to run?

[Glaswegian]

Slow down!

Let's take this one step at a time.

Forget the Recovery Console for now - we can come back to that later.

If you cannot download any files to the infected machine, can you use another machine and transfer via flash drive or something similar? If so, then download combofix and save it to the desktop of the infected machine. Then just double click to run it - say "yes" to any warnings. CF will then run and provide a log to be posted back in this thread.



Edit> XP Media Centre is based on XP Pro.

[donackle]

That's what I was trying to say. I have downloaded combofix to THIS machine, transferred it to the recalcitrant machine, but when I double-click....nothing. This happens with serveral executables on that machine's desktop. I copied the mbam-setup executable (malwarebytes anti-malware) to the desktop, won't run. Both the executables run on THIS machine, so I'm comfortable the files are ok. Hijackthis runs on the infected machine, as did dss.exe. So the infected machine is selective about which executables it will run, and selective about which websites it will visit. Right now it's smarter than me.

Bryan

[Glaswegian]

Hi again

OK, I get you - we'll try a different approach. You can safely delete any previous versions of combofix.

Once again, download this file and transfer it to the infected machine. make sure you re-name the file before saving it.


Please download ComboFix from here - - > http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: It is important that it is saved directly to your desktop**

Referring to the images below



When saving the file, you must rename the file as Combo-Fix.exe



1. Close any open browsers and physically disconnect from the Internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.

NOTE: ComboFix will disconnect your system from the Internet - do not attempt to re-connect until it has finshed scanning.

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

** If there is no internet connection when Combofix has completely finished then manually restart your computer to restore the connection. **

[donackle]

OK. New information...

as part of my throw everything including the kitchen sink at the problem I downloaded STOPZILLA and ran a scan on the computer. It found stuff, and wouldn't delete any of it unless I paid them $19.95, but a funny thing happened. In the middle of the scan, a box popped up telling me Kaspersky had updated its files and I needed to reboot. The kaspersky update site was one of the websites I had been prohibited from visiting, and the updates had been failing since "the troubles" started. Taking this as a positive sign, I ran a full Kaspersky scan which found and deleted a bunch of stuff. (trojans, etc..) I was also able to run the combofix program, which also seemed to find and fix a bunch of stuff. I didn't save the log file ( I thought it was going to put a copy on my desktop) and didn't realize it was a temp file until after I closed it.

Th bottom line is that everything that wasn't working before is working now. It just completed some automatic windows updates, the malwarebytes installer ran, several reboots have resulted in NO ABNORMAL BEHAVIOR whatsoever, so I think it's ok.

Should I run one more combofix or hijackthis and post the log just to be sure? Or something else? I really appreciate your help and I do want to make sure whatever was there is fully eradicated.

Thanks again,

Bryan

[donackle]

I'm going to assume you'll say yes, send a hijackthis log so....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:32 AM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\iprntctl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\welcome\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iPrint Tray] "C:\WINDOWS\system32\iprntctl.exe" TRAY_ICON
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://denverdigitalimaging.lifepics...eUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7394 bytes


See anything scary?

Bryan

[donackle]

...just one more thing.... I reread the combofix instructions, amazing things, instructions, and discovered where the log file went. So:

ComboFix 08-06-08.8 - welcome 2008-06-10 15:09:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.577 [GMT -6:00]
Running from: C:\Documents and Settings\welcome\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\welcome\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\welcome\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\welcome\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Temp\vtmp2
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\BM9f3fe8c3.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\gffPqqru.ini
C:\WINDOWS\system32\GgMStBeg.ini
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\icxxnosr.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mywqppkb.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\QrYbefii.ini
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\SvvwHkkj.ini
C:\WINDOWS\system32\SYcJknnn.ini
C:\WINDOWS\system32\UFfMmUtv.ini
C:\WINDOWS\system32\vbjenvjo.ini
C:\WINDOWS\system32\ybmqrpeh.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-10 14:19 . 2008-06-10 14:26 1,112 --a------ C:\WINDOWS\system32\drivers\kgpcpy.cfg
2008-06-10 14:18 . 2008-06-10 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-10 14:14 . 2008-06-10 14:14 <DIR> d-------- C:\Program Files\STOPzilla!
2008-06-10 14:14 . 2008-06-10 14:14 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-06-10 14:14 . 2008-06-10 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-10 13:06 . 2008-06-10 13:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-06-09 17:59 . 2008-06-09 17:59 401,408 -ra------ C:\WINDOWS\system32\SZComp5.dll
2008-06-09 17:59 . 2008-06-09 17:59 258,048 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-06-09 14:30 . 2008-06-09 13:53 1,959,843 --a------ C:\ComboFix.exe
2008-06-04 09:26 . 2008-06-04 09:26 <DIR> d-------- C:\Deckard
2008-06-03 16:29 . 2008-06-03 16:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-03 16:29 . 2008-06-10 13:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 15:40 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-03 14:43 . 2008-06-03 14:43 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-06-03 14:43 . 2008-06-03 14:43 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-06-03 14:42 . 2008-06-03 14:42 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-06-03 14:42 . 2008-06-03 14:42 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-06-03 14:42 . 2008-06-03 14:42 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-06-03 14:41 . 2008-06-03 14:41 196,608 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-06-03 14:41 . 2008-06-03 14:41 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-06-03 14:40 . 2008-06-03 14:40 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-06-03 14:37 . 2008-06-03 14:37 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2008-06-03 07:49 . 2008-03-01 07:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 07:49 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-03 07:49 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-03 07:49 . 2008-03-01 07:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-03 07:49 . 2008-03-01 07:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-03 07:49 . 2008-03-01 07:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-03 07:49 . 2008-03-01 07:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-03 07:49 . 2008-03-01 07:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-03 07:49 . 2008-02-22 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Program Files\CCleaner
2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a--c--- C:\WINDOWS\system32\dllcache\acledit.dll
2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a------ C:\WINDOWS\system32\acledit.dll
2008-06-02 23:09 . 2008-06-03 08:15 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-06-02 22:26 . 2008-06-09 14:43 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\U3
2008-06-02 21:24 . 2008-06-03 07:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-02 18:56 . 2008-06-02 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-02 18:13 . 2008-06-02 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\SUPERAntiSpyware.com
2008-06-02 16:40 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\e2118555e18d80a669db8f
2008-06-02 13:43 . 2008-06-02 11:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 13:43 . 2008-06-02 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 11:57 . 2008-06-02 11:57 <DIR> d-------- C:\WINDOWS\Recent
2008-06-02 10:56 . 2008-06-10 14:59 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-02 10:56 . 2008-06-10 14:59 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-02 10:55 . 2008-06-02 10:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-02 10:55 . 2008-06-10 14:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 10:55 . 2008-06-10 15:13 2,747,168 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-02 10:55 . 2008-06-10 15:12 68,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-02 10:55 . 2008-06-10 15:12 37,820 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-02 10:55 . 2008-06-10 15:12 7,460 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-02 10:34 . 2008-06-02 10:34 <DIR> d-------- C:\KAV
2008-06-02 10:15 . 2007-09-06 10:45 45,056 --a------ C:\WINDOWS\system32\iprntlgn.exe
2008-06-02 10:15 . 2007-09-06 10:45 32,768 --a------ C:\WINDOWS\system32\nipplgex.dll
2008-05-29 22:05 . 2008-06-02 10:28 534 ---hs---- C:\WINDOWS\system32\rwlbomne.ini
2008-05-26 00:09 . 2008-05-29 21:58 594 ---hs---- C:\WINDOWS\system32\qbnukjin.ini
2008-05-24 23:35 . 2008-05-26 00:02 474 ---hs---- C:\WINDOWS\system32\rpkvenjr.ini
2008-05-24 23:33 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\uTorrent
2008-05-24 23:31 . 2008-05-24 23:31 101,888 -rahs---- C:\WINDOWS\system32\acledite.exe
2008-05-24 23:31 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-24 23:30 . 2008-05-24 23:33 <DIR> d-------- C:\Program Files\uTorrent
2008-05-24 13:39 . 2008-05-24 13:39 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-24 13:39 . 2008-06-10 15:09 <DIR> d-------- C:\Temp
2008-05-21 14:58 . 2008-05-21 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 14:58 . 2008-05-21 14:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-20 15:05 . 2008-05-20 15:05 32,768 --a------ C:\WINDOWS\system32\vntiho06\vntiho061083.exe
2008-05-19 22:51 . 2008-05-19 22:51 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\Viewpoint
2008-05-19 22:00 . 2008-05-19 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-13 10:03 . 2008-05-13 10:03 34,432 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 20:59 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-10 19:45 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-10 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-10 19:06 --------- d-----w C:\Documents and Settings\welcome\Application Data\AOL
2008-06-10 19:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-04 15:07 --------- d-----w C:\Program Files\TOSHIBA
2008-06-03 09:07 --------- d-----w C:\Program Files\DIGStream
2008-06-03 02:23 --------- d-----w C:\Program Files\Yahoo!
2008-06-02 23:24 --------- d-----w C:\Program Files\Metamail Inc
2008-06-02 19:47 --------- d-----w C:\Program Files\Toshiba Games
2008-06-02 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 02:15 --------- d-----w C:\Documents and Settings\welcome\Application Data\ZoomBrowser EX
2008-05-20 04:01 --------- d-----w C:\Program Files\Viewpoint
2008-05-20 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2006-12-13 03:10 0 ----a-w C:\Documents and Settings\welcome\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 02:32 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 23:55 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 23:55 118784]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 16:02 352256]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 02:34 82009]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 02:32 761945]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 22:30 188416]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2007-09-06 10:45 40960]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2007-09-06 10:45 45056]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [2008-06-10 14:59 231952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jqX42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ovC20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qyG53.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^welcome^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\welcome\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate]
-rahs---- 2008-05-24 23:31 101888 C:\WINDOWS\system32\acledite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\welcome\Application Data\Microsoft\dtsc\12815.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Swupdtmr"=2 (0x2)
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Novell\\GroupWise\\GrpWise.exe"=
"C:\\Novell\\GroupWise\\Notify.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-05-13 10:03]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2007-09-06 10:35]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-05-30 17:49]
S0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 15:14:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-06-10 15:20:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 21:20:24

Pre-Run: 83,557,257,216 bytes free
Post-Run: 83,522,260,992 bytes free

255 --- E O F --- 2008-06-04 14:52:30

[Glaswegian]

Hi again Bryan

Yep, handy things, instructions.

We’ve still some more to do, so stick with me until we are finished.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.



Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Code:

File::
C:\WINDOWS\system32\rwlbomne.ini
C:\WINDOWS\system32\qbnukjin.ini
C:\WINDOWS\system32\rpkvenjr.ini
C:\WINDOWS\system32\acledite.exe

Folder::
C:\WINDOWS\system32\vntiho06
C:\Documents and Settings\welcome\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\e2118555e18d80a669db8f

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jqX42.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ovC20.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qyG53.sys]

Driver::
Viewpoint Manager Service

Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

[donackle]

OK. HijackThis....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:15 AM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\iprntctl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\welcome\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iPrint Tray] "C:\WINDOWS\system32\iprntctl.exe" TRAY_ICON
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://denverdigitalimaging.lifepics...eUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 7263 bytes

[donackle]

I can't post the combofix log.....it says I have 66 images in the log and am only allowed 25. I don't see any images..

[Glaswegian]

Can you attach the text file?

[donackle]

how do I attach a file?

[donackle]

here..

[Glaswegian]

Hi again

Logs are looking good – how are things running now?

We’ll just restore a folder – turned out to have legit files within.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.



Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Code:

DeQuarantine::
C:\e2118555e18d80a669db8f

Quit::

Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ DeQuarantine_log.txt "

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ DeQuarantine_log along with a fresh HijackThis Log for further review.