Frustrated with a persistant Trojan that rewrites itself!!!

Myst05 · 07-05-2008, 03:32 AM

Hello... I have done the 5 steps of trying to remove this persistant Trojan that continually rewrites itself... I would appreciate any help to help rid this computer of this problem. if there are any problems reading the copies I have pasted I will also include them in attachments... Thank you for your help.

Below is the results of my Panda Active Scan:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-05 01:30:04
PROTECTIONS: 2
MALWARE: 28
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee Internet Security Suite 2007 8.1 No Yes
McAfee VirusScan Plus 12.1 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP438\A0209562.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe[²ƒÇ]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
00250251 Adware/ISearch Adware No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP434\A0207709.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
00371752 Adware/Yazzle Adware No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP435\A0209248.exe
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe
00519333 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP438\A0209562.exe
02377322 Trj/Downloader.QLX Virus/Trojan No 1 No No C:\186.tmp[ISMModule4.exe]
02377322 Trj/Downloader.QLX Virus/Trojan No 1 No No C:\1F4.tmp[ISMModule4.exe]
02377326 Adware/Adband Adware No 0 No No C:\186.tmp[BndDrive3.dll]
02377326 Adware/Adband Adware No 0 No No C:\1F4.tmp[BndDrive3.dll]
02377326 Adware/Adband Adware No 0 No No C:\1F0.tmp[BndDrive3.dll]
02409145 Adware/Adband Adware No 0 Yes No C:\186.tmp
02409145 Adware/Adband Adware No 0 Yes No C:\1F4.tmp
02487350 Generic Malware Virus/Trojan No 0 No No C:\563.tmp[BndDrive6.dll]
02556812 Trj/Downloader.MDW Virus/Trojan No 1 No No C:\563.tmp[ISMModule6.exe]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211084.sys
02886407 Application/DownAndRun HackTools No 0 No No C:\563.tmp[bndloader.exe]
02886407 Application/DownAndRun HackTools No 0 No No C:\1F0.tmp[bndloader.exe]
02886407 Application/DownAndRun HackTools No 0 No No C:\1F4.tmp[bndloader.exe]
02886407 Application/DownAndRun HackTools No 0 No No C:\186.tmp[bndloader.exe]
02887265 Adware/Adband Adware No 0 No No C:\1F0.tmp[ism.exe]
02887265 Adware/Adband Adware No 0 No No C:\563.tmp[ism.exe]
02887265 Adware/Adband Adware No 0 No No C:\1F4.tmp[ism.exe]
02887265 Adware/Adband Adware No 0 No No C:\186.tmp[ism.exe]
02887266 Adware/InternetSpeedMonitor Adware No 0 No No C:\1F0.tmp[ISMModule3.exe]
02887267 Adware/Adband Adware No 0 Yes No C:\1F0.tmp
02894131 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\563.tmp
03105847 Trj/Downloader.TZU Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP439\A0210779.exe
03162467 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211056.dll
03162467 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP437\A0209422.dll
03162467 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\sjuhtimw.dll.vir
03162467 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP438\A0209475.dll
03162467 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP436\A0209358.dll
03162763 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP439\A0210933.dll
03183652 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP439\A0210932.dll
03184246 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\geBtRhiG.dll
03184629 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211061.dll
03184629 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\tuihcxms.dll.vir
03194572 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP436\A0209355.dll
03194572 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP438\A0209472.dll
03194572 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP439\A0209646.dll
03194572 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP437\A0209419.dll
03194576 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP439\A0210935.dll
03194814 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP439\A0210853.dll
03204891 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211051.dll
03204891 Generic Malware Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\qfcfitpw.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Here is the DSS main.txt:
Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-05 02:04:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
48: 2008-07-05 08:48:15 UTC - RP441 - Deckard's System Scanner Restore Point
47: 2008-07-04 10:50:51 UTC - RP440 - ComboFix created restore point
46: 2008-06-29 01:30:05 UTC - RP439 - Installed Java(TM) 6 Update 6
45: 2008-06-28 22:05:51 UTC - RP438 - Restore Operation
44: 2008-06-28 21:50:45 UTC - RP437 - Restore Operation

-- First Restore Point --
1: 2008-06-21 06:54:34 UTC - RP394 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 239 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2

17 AM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\AOL\1167533480\ee\aolsoftware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1214824509765
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JS...ws-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

--
End of file - 11196 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BsStor (B.H.A Storage Helper Driver) - c:\windows\system32\drivers\bsstor.sys <Not Verified; B.H.A Co.,Ltd.; >
R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Common Modules>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 BsUDF (B.H.A UDF Filesystem) - c:\windows\system32\drivers\bsudf.sys <Not Verified; B.H.A Co.,Ltd.; UDF File System Driver (WindowsXP)>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R2 tossmbnt - c:\windows\system32\drivers\tossmbnt.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 PRISM_A02 (Gateway Wireless 802.11g USB Adapter) - c:\windows\system32\drivers\prisma02.sys <Not Verified; GlobespanVirata, Inc.; PRISM 802.11 Wireless LAN>
S3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP06\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP06\0000
Service: HPFECP06

-- Scheduled Tasks -------------------------------------------------------------

2008-07-01 01:00:02 332 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-06-25 19:27:22 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2005-08-05 22:32:15 342 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1108276221.job

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-04 23:32:01 0 d-------- C:\WINDOWS\LastGood
2008-07-04 03:32:24 68096 --a------ C:\WINDOWS\zip.exe
2008-07-04 03:32:24 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-04 03:32:24 98816 --a------ C:\WINDOWS\sed.exe
2008-07-04 03:32:24 80412 --a------ C:\WINDOWS\grep.exe
2008-07-04 03:32:23 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-04 03:32:23 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-04 03:32:23 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-04 03:32:23 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-30 05:02:23 0 d-------- C:\microsoft updates
2008-06-30 03:43:23 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 03:42:36 0 d-------- C:\Program Files\SpywareBlaster
2008-06-30 00:42:08 0 d-------- C:\Program Files\Panda Security
2008-06-29 01:24:30 0 d-------- C:\Program Files\Trend Micro
2008-06-28 17:25:39 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterTrust
2008-06-28 17:25:39 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Identities
2008-06-28 17:25:39 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Drag'n Drop CD+DVD
2008-06-28 17:25:39 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Adobe
2008-06-28 17:25:38 0 dr------- C:\Documents and Settings\Administrator.THEHADDADS\Favorites
2008-06-28 17:25:38 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Desktop
2008-06-28 17:25:38 0 d--hs---- C:\Documents and Settings\Administrator.THEHADDADS\Cookies
2008-06-28 17:25:38 0 dr-h----- C:\Documents and Settings\Administrator.THEHADDADS\Application Data
2008-06-28 17:25:38 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\toshiba
2008-06-28 17:25:38 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Symantec
2008-06-28 17:25:38 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Sun
2008-06-28 17:25:38 0 d---s---- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Microsoft
2008-06-28 17:25:38 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterVideo
2008-06-28 17:25:37 0 dr------- C:\Documents and Settings\Administrator.THEHADDADS\Start Menu
2008-06-28 17:25:37 0 dr-h----- C:\Documents and Settings\Administrator.THEHADDADS\SendTo
2008-06-28 17:25:37 0 dr-h----- C:\Documents and Settings\Administrator.THEHADDADS\Recent
2008-06-28 17:25:37 0 d--h----- C:\Documents and Settings\Administrator.THEHADDADS\PrintHood
2008-06-28 17:25:37 0 d--h----- C:\Documents and Settings\Administrator.THEHADDADS\NetHood
2008-06-28 17:25:37 0 dr------- C:\Documents and Settings\Administrator.THEHADDADS\My Documents
2008-06-28 17:25:37 0 d--h----- C:\Documents and Settings\Administrator.THEHADDADS\Local Settings
2008-06-28 17:25:36 0 d-------- C:\Documents and Settings\Administrator.THEHADDADS\WINDOWS
2008-06-28 17:25:36 0 d--h----- C:\Documents and Settings\Administrator.THEHADDADS\Templates
2008-06-28 17:25:36 1310720 --ah----- C:\Documents and Settings\Administrator.THEHADDADS\NTUSER.DAT
2008-06-28 15:41:24 0 d-------- C:\VundoFix Backups
2008-06-25 21:57:59 0 d-------- C:\Program Files\microsoft malicious software removal tool
2008-06-25 19:28:57 0 d-------- C:\mcafee_mcpr
2008-06-25 19:21:32 0 d-------- C:\Program Files\McAfee
2008-06-25 17:53:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 17:48:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 23

46 131584 --a------ C:\WINDOWS\system32\vnorlxrh.dll
2008-06-23 23:57:00 131584 --a------ C:\WINDOWS\system32\pjogcehu.dll
2008-06-20 23:46:29 0 d-------- C:\WINDOWS\system32\mir
2008-06-20 23:46:29 0 d-------- C:\WINDOWS\system32\jdam
2008-06-20 23:46:29 0 d-------- C:\WINDOWS\system32\49a
2008-06-20 23:44:47 0 d-------- C:\WINDOWS\system32\modtrux05

-- Find3M Report ---------------------------------------------------------------

2008-07-04 02:19:46 0 d-------- C:\Program Files\Pure Networks
2008-06-30 00:05:40 0 d-------- C:\Program Files\Viewpoint
2008-06-28 18:34:23 0 d-------- C:\Program Files\Java
2008-06-28 00:57:08 0 d-------- C:\Program Files\Common Files
2008-06-27 04:14:42 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-25 21:18:44 0 d-------- C:\Program Files\mcafee.com
2008-06-25 19

41 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2008-06-25 19:03:18 0 d-------- C:\Program Files\Common Files\AOL
2008-06-25 18:03:05 0 d-------- C:\Program Files\Lavasoft
2008-06-25 17:56:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-12 14

57 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 01:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 01:07 AM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [01/02/2003 05:16 PM]
"AGRSMMSG"="AGRSMMSG.exe" [04/18/2003 12:20 PM C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [07/17/2003 06:38 PM]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [01/21/2003 07:00 PM]
"TFNF5"="TFNF5.exe" [10/15/2003 05:03 PM C:\WINDOWS\system32\TFNF5.exe]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [10/31/2003 04:01 PM]
"TPSMain"="TPSMain.exe" [11/19/2003 10:15 PM C:\WINDOWS\system32\TPSMain.exe]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [11/05/2003 06:38 AM]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [03/17/2005 04:37 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 05:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/04/2006 04:18 AM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 11:29 AM]
"000StTHK"="000StTHK.exe" [06/23/2001 09:28 PM C:\WINDOWS\system32\000StTHK.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe" [09/25/2006 05:52 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 04:24 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [11/30/2006 10:49 PM]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [07/12/2005 07:17 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/6/2003 1:37:10 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 2

58 AM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [8/6/2003 2:23:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MPFExe"=C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
"EmailScan"=C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
"OASClnt"=C:\Program Files\mcafee.com\antivirus\oasclnt.exe
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
"AOLSPScheduler"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
"ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe
"sscRun"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
"00THotkey"=C:\WINDOWS\System32\00THotkey.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

*Newly Created Service* - CATCHME

-- End of Deckard's System Scanner: finished at 2008-07-05 02:08:09 ------------

Here is the extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.80GHz
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 238.79 MiB / 41.5 MiB
Pagefile Memory (total/avail): 633.71 MiB / 183.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.45 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 26.14 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HITACHI_DK23FA-40 - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
AntivirusOverride is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"="C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe:*:Enabled:Search for Wireless Devices"
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"="C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe:*:Enabled:Acrobat Reader 5.0"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=THEHADDADS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\THEHADDADS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\America Online 9.0;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PortMagicSDKIsRunning=1
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TOSMFG=TOSHIBA
USERDOMAIN=THEHADDADS
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator.THEHADDADS (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\mcafee.com\antivirus\uninst.exe" /PopUpMsgBox="N" /CheckMutx="N" /S
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM Toolbar --> C:\Program Files\AIM Toolbar\uninstall.exe
Alps Pointing-device Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Deskbar --> "C:\Program Files\AOL Deskbar\UNWISE.EXE" /u "C:\Program Files\AOL Deskbar\INSTALL.LOG"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA561482-C49D-4687-A61C-96236C1688F0}\Setup.exe" -l0x9
AT&T Connection Services Manager --> C:\WINDOWS\WNBackup\WnClient62\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient62\install.log "AT&T Connection Services Manager"
B's CLiP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19C64880-BBCA-11D4-9EEE-0004ACDDDB3B}\Setup.exe" -l0x9
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
Drag'n Drop CD+DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDC146FA-73E0-4FA1-A353-841EA14BF600}\Setup.exe" -l0x9 deleteall
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
Family Feud --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFB50C42-4905-11D4-8BA5-0050BAAA20E2}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 2100 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 2100 series --> MsiExec.exe /X{82DFB852-9594-4668-9C66-28BB6E94BCB2}
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
Notebook Maximizer --> C:\WINDOWS\iun506.exe C:\Program Files\Notebook Maximizer\irunin.ini
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Quicken 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SurfHere by Toshiba --> MsiExec.exe /X{A962C8E1-4F0B-4BA9-806E-B8D9A3B31F82}
The Game Of Life --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"
TOSHIBA Access --> C:\PROGRA~1\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\TOSHIB~1\INSTALL.LOG
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Display Devices Change Utility --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TDspBtn.inf,DefaultUninstall,5
TOSHIBA Fax Extension --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AC200C3-A4C8-401C-A5A8-202BE888B165}\setup.exe"
TOSHIBA Hotkey Utility for Display Devices --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5.inf,DefaultUninstall,5
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\System32\TPSDel.dll"
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe"
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
Toshiba Tbiosdrv Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Tbiosdrv Driver\Tbiosdrv.isu"
TOSHIBA TouchPad On/Off Utility V2.05.00 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TouchED\Uninst.isu" -c"C:\Program Files\TOSHIBA\TouchED\tpedinst.dll"
TOSHIBA Utilities --> tutildel.exe
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3470FBE6-B743-420F-B5CE-0D27FA749C16}\Setup.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type1905 / Error
Event Submitted/Written: 07/05/2008 01:58:32 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module dss.dll, version 0.0.0.0, fault address 0x00002120.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type1904 / Error
Event Submitted/Written: 07/05/2008 01:56:57 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module dss.dll, version 0.0.0.0, fault address 0x00002120.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type1903 / Error
Event Submitted/Written: 07/05/2008 01:48:54 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss[1].exe, version 3.2.8.1, faulting module dss.dll, version 0.0.0.0, fault address 0x00002120.
Processing media-specific event for [dss[1].exe!ws!]

Event Record #/Type1888 / Error
Event Submitted/Written: 07/04/2008 02:10:59 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware.exe, version 7.1.0.10, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1885 / Error
Event Submitted/Written: 07/03/2008 00:59:58 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 425880853.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type26973 / Warning
Event Submitted/Written: 07/04/2008 06:43:40 PM
Event ID/Source: 11050 / dnscache
Event Description:
The DNS Client service could not contact any DNS servers for
a repeated number of attempts. For the next 30 seconds the
DNS Client service will not use the network to avoid further
network performance problems. It will resume its normal behavior
after that. If this problem persists, verify your TCP/IP
configuration, specifically check that you have a preferred
(and possibly an alternate) DNS server configured. If the problem
continues, verify network conditions to these DNS servers or contact
your network administrator.

Event Record #/Type26970 / Error
Event Submitted/Written: 07/04/2008 06:34:32 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Event Record #/Type26927 / Error
Event Submitted/Written: 07/04/2008 01:15:24 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type26890 / Error
Event Submitted/Written: 07/04/2008 06:00:16 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type26867 / Error
Event Submitted/Written: 07/04/2008 05:07:05 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

-- End of Deckard's System Scanner: finished at 2008-07-05 02:08:09 ------------

Myst05 · 07-10-2008, 03:38 AM

BUMP, please

**amateur** · 07-11-2008, 06:51 AM

Hello and welcome to TSF.

Sorry for the delay in response. The forum is really busy.

Looks like you've run Combofix. ComboFix is an extremely powerful tool and should only be used when instructed by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

http://i266.photobucket.com/albums/i...er_ENU_B-1.gif

If you have used it with the instruction of a trained analyst, please give us the link so that we may know what has transpired prior to posting here. Post the combofix.txt in your next reply please. (C:\Combofix.txt)

=====================================

Please scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close all browsers and windows other than HijackThis and click on "fix checked".

=====================================

Restart the computer and post a fresh HijackThis log along with the Combofix.txt

Myst05 · 07-14-2008, 03:59 AM

Hello Amateur and thank you for your very helpful response!!! I did as you instructed in your response post and have included a fresh post of Hijack this along with Combofix.txt I will be perfectly honest in saying I was not instructed to run a combofix.. It was in my search to delete the trojan that I read about combofix so I hope I didn't do MAJOR DAMAGE to my computer... I have also included the combofix quarantined files.. Again I would like to thank you for your help.
Sincerely,
Myst05

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:28 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\America Online 9.0\waol.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Common Files\AOL\1167533480\ee\aolsoftware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1214824509765
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JS...ws-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

--
End of file - 10891 bytes

Combofix.txt(s)
2007-04-25 21:30 29184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir
2007-09-23 17:05 279600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2007-11-27 18:45 1011 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk.vir
2008-01-08 21:44 28747 --a------ C:\Qoobox\Quarantine\C\Temp\1cb\syscheck.log.vir
2008-06-20 23:44 16464 --a------ C:\Qoobox\Quarantine\C\csrss.exe.vir
2008-06-20 23:53 301568 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJCstts.dll.vir
2008-06-21 02:41 1696381 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vthovgsa.ini.vir
2008-06-21 23:31 128512 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xfnnaeph.dll.vir
2008-06-21 23:41 130560 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\moecegjj.dll.vir
2008-06-23 23:53 1696561 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vmclwncg.ini.vir
2008-06-25 16:33 1719143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pqugvpre.ini.vir
2008-06-25 16:33 94720 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lsvyyjxa.dll.vir
2008-06-25 16:42 108032 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\irdqxrrt.dll.vir
2008-06-25 21:08 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-06-26 21:19 3030714 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\afdftssp.ini.vir
2008-06-26 21:20 95744 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tgdpblhp.dll.vir
2008-06-26 21:26 108032 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\taidpjoy.dll.vir
2008-06-27 22:45 3011419 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ntusajuf.ini.vir
2008-06-27 23:44 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sjuhtimw.dll.vir
2008-06-27 23:50 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fqzpva.dll.vir
2008-06-27 23:50 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rdacwpat.dll.vir
2008-06-28 16:36 1413 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-06-29 00:04 3019398 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kppxlsll.ini.vir
2008-06-29 00:05 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sdjdekvl.dll.vir
2008-06-29 00:12 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\aqdjqn.dll.vir
2008-06-29 00:12 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kxrhferb.dll.vir
2008-06-30 00:12 3012816 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pgdwbpvu.ini.vir
2008-06-30 00:17 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rjjksh.dll.vir
2008-06-30 00:17 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\unvdtdxb.dll.vir
2008-07-02 00:32 94720 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tuihcxms.dll.vir
2008-07-02 00:33 110321 --a------ C:\Qoobox\Quarantine\C\WINDOWS\BMbfc81020.xml.vir
2008-07-02 00:36 3018846 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ltmffowg.ini.vir
2008-07-02 00:40 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mphrjmse.dll.vir
2008-07-02 00:40 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\zyxspp.dll.vir
2008-07-03 00:45 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\egmdtnuj.dll.vir
2008-07-03 00:45 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qltaib.dll.vir
2008-07-03 00:47 2683632 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wnjnypcn.ini.vir
2008-07-03 00:50 86016 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qfcfitpw.dll.vir
2008-07-04 02:25 22 --a------ C:\Qoobox\Quarantine\C\WINDOWS\pskt.ini.vir
2008-07-04 02:25 39332 --a------ C:\Qoobox\Quarantine\C\WINDOWS\BMbfc81020.txt.vir
2008-07-04 02:27 3229899 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wptifcfq.ini.vir
2008-07-04 02:27 87040 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\krfdynmi.dll.vir
2008-07-04 02:31 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tjmanfvo.dll.vir
2008-07-04 02:31 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tulvnw.dll.vir
2008-07-04 02:41 650889 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sttsCJjl.ini2.vir
2008-07-04 02:42 1695341 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\imnydfrk.ini.vir
2008-07-04 02:42 650889 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sttsCJjl.ini.vir
2008-07-04 04:21 210 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_TnIDriver.reg.dat
2008-07-04 05:17 103 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-07-04 05:17 138 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-ISMModule6.reg.dat
2008-07-04 05:17 146 --a------ C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{4E06327D-0415-475F-898B-6ACFB316073E}.reg.dat
2008-07-04 05:17 149 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-bcfb23bc.reg.dat
2008-07-04 05:17 150 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BMbfc81020.reg.dat
2008-07-04 05:17 150 --a------ C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-ALUAlert.reg.dat
2008-07-04 05:17 151 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-BMbfc81020.reg.dat
2008-07-04 05:17 1690 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{8C6D5A56-791E-4fe8-9D64-81781FA15D68}.reg.dat
2008-07-04 19:26 216 --a------ C:\Qoobox\Quarantine\catchme.log

ComboFix 08-07-03.3 - Owner 2008-07-04 18:38:11.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-03 00:47 . 2008-07-03 00:47 0 --a------ C:\WINDOWS\system32\wnjnypcn.tmp
2008-06-30 05:02 . 2008-06-30 05:04 <DIR> d-------- C:\microsoft updates
2008-06-30 03:43 . 2008-07-03 02:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 03:42 . 2008-07-03 02:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-30 00:42 . 2008-06-30 00:42 <DIR> d-------- C:\Program Files\Panda Security
2008-06-29 01:24 . 2008-06-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 17:25 . 2003-11-20 17:28 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\WINDOWS
2008-06-28 17:25 . 2003-11-20 18:32 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\toshiba
2008-06-28 17:25 . 2003-11-20 18:34 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Symantec
2008-06-28 17:25 . 2003-11-21 11:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterVideo
2008-06-28 17:25 . 2003-11-20 17:59 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterTrust
2008-06-28 17:25 . 2003-11-20 18:52 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Drag'n Drop CD+DVD
2008-06-28 17:25 . 2008-06-28 17:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS
2008-06-28 15:41 . 2008-06-28 15:41 <DIR> d-------- C:\VundoFix Backups
2008-06-25 21:57 . 2008-06-25 22:00 <DIR> d-------- C:\Program Files\microsoft malicious software removal tool
2008-06-25 21:01 . 2008-07-04 18:35 20,619 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-25 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-25 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-25 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-25 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-25 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-25 19:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-25 19:28 . 2008-06-27 04:14 <DIR> d-------- C:\mcafee_mcpr
2008-06-25 19:21 . 2008-06-27 22:38 <DIR> d-------- C:\Program Files\McAfee
2008-06-25 17:53 . 2008-06-25 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 17:48 . 2008-06-25 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 23:06 . 2008-06-24 23:06 131,584 --a------ C:\WINDOWS\system32\vnorlxrh.dll
2008-06-23 23:57 . 2008-06-23 23:57 131,584 --a------ C:\WINDOWS\system32\pjogcehu.dll
2008-06-20 23:46 . 2008-06-28 05:14 <DIR> d-------- C:\WINDOWS\system32\mir
2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\jdam
2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\49a
2008-06-20 23:44 . 2008-06-28 15:01 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-20 23:44 . 2008-06-20 23:44 <DIR> d-------- C:\Temp\syschk3
2008-06-20 23:44 . 2008-06-20 23:44 44,544 --a------ C:\WINDOWS\system32\geBtRhiG.dll
2008-06-11 03:22 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 09:19 --------- d-----w C:\Program Files\Pure Networks
2008-06-30 07:05 --------- d-----w C:\Program Files\Viewpoint
2008-06-30 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-29 01:34 --------- d-----w C:\Program Files\Java
2008-06-27 11:14 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-27 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-26 04:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-26 04:18 --------- d-----w C:\Program Files\mcafee.com
2008-06-26 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-06-26 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-26 02:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-26 01:03 --------- d-----w C:\Program Files\Lavasoft
2008-06-26 00:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_ 5.17.20.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 11:55:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 20:14:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-05 01:39:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-05 01:39:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-05 01:39:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-04 21:38:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" [2005-07-12 07:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 17:16 172032]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 18:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 06:38 1380352]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50 71216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-04 04:18 98304]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 17:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-11-19 22:15 278528 C:\WINDOWS\system32\TPSMain.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02

58 28672]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-12-08 15:50 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MPFExe"=C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
"EmailScan"=C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
"OASClnt"=C:\Program Files\mcafee.com\antivirus\oasclnt.exe
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
"AOLSPScheduler"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
"ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe
"sscRun"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
"00THotkey"=C:\WINDOWS\System32\00THotkey.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"=
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07]
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 00:54]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 12:12]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2005-08-06 05:32:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1108276221.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-06-26 02:27:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-01 08:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 18:46:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-07-04 18:59:19
ComboFix-quarantined-files.txt 2008-07-05 01:58:07
ComboFix2.txt 2008-07-04 21:13:21
ComboFix3.txt 2008-07-04 12:19:43

Pre-Run: 28,180,295,680 bytes free
Post-Run: 28,168,781,824 bytes free

181 --- E O F --- 2008-06-20 04:03:04

ComboFix 08-07-03.3 - Owner 2008-07-04 3:56:25.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\csrss.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BMbfc81020.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afdftssp.ini
C:\WINDOWS\system32\aqdjqn.dll
C:\WINDOWS\system32\b10
C:\WINDOWS\system32\egmdtnuj.dll
C:\WINDOWS\system32\fqzpva.dll
C:\WINDOWS\system32\imnydfrk.ini
C:\WINDOWS\system32\irdqxrrt.dll
C:\WINDOWS\system32\kppxlsll.ini
C:\WINDOWS\system32\krfdynmi.dll
C:\WINDOWS\system32\kxrhferb.dll
C:\WINDOWS\system32\ljJCstts.dll
C:\WINDOWS\system32\lsvyyjxa.dll
C:\WINDOWS\system32\ltmffowg.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\moecegjj.dll
C:\WINDOWS\system32\mphrjmse.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ntusajuf.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pgdwbpvu.ini
C:\WINDOWS\system32\pqugvpre.ini
C:\WINDOWS\system32\qfcfitpw.dll
C:\WINDOWS\system32\qltaib.dll
C:\WINDOWS\system32\rdacwpat.dll
C:\WINDOWS\system32\rjjksh.dll
C:\WINDOWS\system32\sdjdekvl.dll
C:\WINDOWS\system32\sjuhtimw.dll
C:\WINDOWS\system32\sttsCJjl.ini
C:\WINDOWS\system32\sttsCJjl.ini2
C:\WINDOWS\system32\taidpjoy.dll
C:\WINDOWS\system32\tgdpblhp.dll
C:\WINDOWS\system32\tjmanfvo.dll
C:\WINDOWS\system32\tuihcxms.dll
C:\WINDOWS\system32\tulvnw.dll
C:\WINDOWS\system32\unvdtdxb.dll
C:\WINDOWS\system32\vmclwncg.ini
C:\WINDOWS\system32\vthovgsa.ini
C:\WINDOWS\system32\wnjnypcn.ini
C:\WINDOWS\system32\wptifcfq.ini
C:\WINDOWS\system32\xfnnaeph.dll
C:\WINDOWS\system32\zyxspp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 00:47 . 2008-07-03 00:47 0 --a------ C:\WINDOWS\system32\wnjnypcn.tmp
2008-06-30 05:02 . 2008-06-30 05:04 <DIR> d-------- C:\microsoft updates
2008-06-30 03:43 . 2008-07-03 02:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 03:42 . 2008-07-03 02:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-30 00:42 . 2008-06-30 00:42 <DIR> d-------- C:\Program Files\Panda Security
2008-06-29 01:24 . 2008-06-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 17:25 . 2003-11-20 17:28 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\WINDOWS
2008-06-28 17:25 . 2003-11-20 18:32 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\toshiba
2008-06-28 17:25 . 2003-11-20 18:34 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Symantec
2008-06-28 17:25 . 2003-11-21 11:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterVideo
2008-06-28 17:25 . 2003-11-20 17:59 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterTrust
2008-06-28 17:25 . 2003-11-20 18:52 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Drag'n Drop CD+DVD
2008-06-28 17:25 . 2008-06-28 17:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS
2008-06-28 15:41 . 2008-06-28 15:41 <DIR> d-------- C:\VundoFix Backups
2008-06-25 21:57 . 2008-06-25 22:00 <DIR> d-------- C:\Program Files\microsoft malicious software removal tool
2008-06-25 21:01 . 2008-07-04 04:53 20,619 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-25 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-25 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-25 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-25 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-25 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-25 19:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-25 19:28 . 2008-06-27 04:14 <DIR> d-------- C:\mcafee_mcpr
2008-06-25 19:21 . 2008-06-27 22:38 <DIR> d-------- C:\Program Files\McAfee
2008-06-25 17:53 . 2008-06-25 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 17:48 . 2008-06-25 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 23:06 . 2008-06-24 23:06 131,584 --a------ C:\WINDOWS\system32\vnorlxrh.dll
2008-06-23 23:57 . 2008-06-23 23:57 131,584 --a------ C:\WINDOWS\system32\pjogcehu.dll
2008-06-21 23:31 . 2008-07-02 00:33 110,321 --a------ C:\WINDOWS\BMbfc81020.xml
2008-06-20 23:46 . 2008-06-28 05:14 <DIR> d-------- C:\WINDOWS\system32\mir
2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\jdam
2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\49a
2008-06-20 23:44 . 2008-06-28 15:01 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-20 23:44 . 2008-06-20 23:44 <DIR> d-------- C:\Temp\syschk3
2008-06-20 23:44 . 2008-06-20 23:44 44,544 --a------ C:\WINDOWS\system32\geBtRhiG.dll
2008-06-11 03:22 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 09:19 --------- d-----w C:\Program Files\Pure Networks
2008-06-30 07:05 --------- d-----w C:\Program Files\Viewpoint
2008-06-30 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-29 01:34 --------- d-----w C:\Program Files\Java
2008-06-27 11:14 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-27 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-26 04:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-26 04:18 --------- d-----w C:\Program Files\mcafee.com
2008-06-26 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-06-26 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-26 02:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-26 01:03 --------- d-----w C:\Program Files\Lavasoft
2008-06-26 00:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" [2005-07-12 07:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 17:16 172032]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 18:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 06:38 1380352]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50 71216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-04 04:18 98304]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 17:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-11-19 22:15 278528 C:\WINDOWS\system32\TPSMain.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02

58 28672]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-12-08 15:50 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MPFExe"=C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
"EmailScan"=C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
"OASClnt"=C:\Program Files\mcafee.com\antivirus\oasclnt.exe
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
"AOLSPScheduler"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
"ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe
"sscRun"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
"00THotkey"=C:\WINDOWS\System32\00THotkey.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"=
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07]
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 00:54]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 12:12]

.
Contents of the 'Scheduled Tasks' folder
"2005-08-06 05:32:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1108276221.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-06-26 02:27:22 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-01 08:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
HKCU-Run-ISMModule6 - C:\Program Files\ISM\ISMModule6.exe
HKCU-Run-BMbfc81020 - C:\WINDOWS\system32\lsvyyjxa.dll
HKLM-Run-BMbfc81020 - C:\WINDOWS\system32\lsvyyjxa.dll
HKLM-Run-bcfb23bc - C:\WINDOWS\system32\krfdynmi.dll
HKLM-Run-TFncKy - TFncKy.exe
HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
ShellExecuteHooks-{4E06327D-0415-475F-898B-6ACFB316073E} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 04:57:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\PROGRA~1\mcafee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-07-04 5:19:38 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-07-04 12:18:16

Pre-Run: 28,086,677,504 bytes free
Post-Run: 28,112,531,456 bytes free

261 --- E O F --- 2008-06-20 04:03:04

**amateur** · 07-14-2008, 06:14 AM

Hi,

Thank you for being honest and providing the combofix logs.

Quote:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Let's have the recovery console installed first. Your copy of Combofix may have expired already. Please delete the present copy from your desktop and download a fresh one from one the following links, and save it to your desktop.

Link 1
Link 2
Link 3

Next, go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'No' to exit.

========================================

Open notepad (Start>All programs>accessories>notepad )
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop

(It must be notepad, not wordpad, or it won't work):

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/266140-frustrated-persistant-trojan-rewrites-itself.html#post1590233

KILLALL::

Collect::
C:\WINDOWS\system32\vnorlxrh.dll
C:\WINDOWS\system32\pjogcehu.dll
C:\WINDOWS\BMbfc81020.xml

File::
C:\WINDOWS\system32\wnjnypcn.tmp

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\mir
C:\WINDOWS\system32\jdam
C:\WINDOWS\system32\49a
C:\WINDOWS\system32\modtrux05
C:\Temp\syschk3
C:\WINDOWS\system32\geBtRhiG.dll

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

===============================================

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Myst05 · 07-19-2008, 01:52 AM

Hello and thank you again Amateur for ALL OF YOUR HELP!!! I have read and followed through with all of the instructions that you sent to me. The only thing I was not sure about was if I was supposed to register when I did the copy/paste/send of the txt file to mybleepingcomputer.com.

Below is a new Combofix.txt file as well as as a new Hijack This log file that you requested for review.

Again......... THANK YOU!!!!

Myst05

ComboFix 08-07-17.4 - Owner 2008-07-18 3:21:55.5 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\wnjnypcn.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\syschk3
C:\Temp\syschk3\tdirp5.log
C:\VundoFix Backups
C:\WINDOWS\system32\49a
C:\WINDOWS\system32\jdam
C:\WINDOWS\system32\mir
C:\WINDOWS\system32\modtrux05
C:\WINDOWS\system32\pjogcehu.dll
C:\WINDOWS\system32\vnorlxrh.dll
C:\WINDOWS\system32\wnjnypcn.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-05 01:45 . 2008-07-05 01:45 <DIR> d-------- C:\Deckard
2008-07-04 23:33 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-06-30 05:02 . 2008-06-30 05:04 <DIR> d-------- C:\microsoft updates
2008-06-30 03:43 . 2008-07-11 01:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 03:42 . 2008-07-03 02:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-30 00:42 . 2008-06-30 00:42 <DIR> d-------- C:\Program Files\Panda Security
2008-06-29 01:24 . 2008-06-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 17:25 . 2003-11-20 17:28 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\WINDOWS
2008-06-28 17:25 . 2003-11-20 18:32 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\toshiba
2008-06-28 17:25 . 2003-11-20 18:34 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Symantec
2008-06-28 17:25 . 2003-11-21 11:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterVideo
2008-06-28 17:25 . 2003-11-20 17:59 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterTrust
2008-06-28 17:25 . 2003-11-20 18:52 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Drag'n Drop CD+DVD
2008-06-28 17:25 . 2008-06-28 17:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS
2008-06-25 21:57 . 2008-06-25 22:00 <DIR> d-------- C:\Program Files\microsoft malicious software removal tool
2008-06-25 21:01 . 2008-07-18 03:32 20,797 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-25 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-25 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-25 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-25 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-25 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-25 19:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-25 19:28 . 2008-06-27 04:14 <DIR> d-------- C:\mcafee_mcpr
2008-06-25 19:21 . 2008-06-27 22:38 <DIR> d-------- C:\Program Files\McAfee
2008-06-25 17:53 . 2008-06-25 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 17:48 . 2008-06-25 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 09:19 --------- d-----w C:\Program Files\Pure Networks
2008-06-30 07:05 --------- d-----w C:\Program Files\Viewpoint
2008-06-30 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-29 01:34 --------- d-----w C:\Program Files\Java
2008-06-27 11:14 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-27 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-26 04:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-26 04:18 --------- d-----w C:\Program Files\mcafee.com
2008-06-26 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-06-26 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-26 02:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-26 01:03 --------- d-----w C:\Program Files\Lavasoft
2008-06-26 00:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_ 5.17.20.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-18 07:24:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-18 07:24:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-05-29 23:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-04 07:56:44 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
- 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" [2005-07-12 07:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 17:16 172032]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 18:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904]
"B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 06:38 1380352]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50 71216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-04 04:18 98304]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe" [2006-09-25 17:52 50736]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 17:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-11-19 22:15 278528 C:\WINDOWS\system32\TPSMain.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02

58 28672]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-12-08 15:50 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MPFExe"=C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
"EmailScan"=C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
"OASClnt"=C:\Program Files\mcafee.com\antivirus\oasclnt.exe
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
"AOLSPScheduler"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
"ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe
"sscRun"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
"00THotkey"=C:\WINDOWS\System32\00THotkey.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"=
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 00:54]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 12:12]
.
Contents of the 'Scheduled Tasks' folder
"2005-08-06 05:32:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1108276221.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-07-15 08:00:07 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-01 08:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 03:34:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\mcafee.com\Agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-07-18 3:59:02 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-07-18 10:57:36
ComboFix2.txt 2008-07-05 02:35:35
ComboFix3.txt 2008-07-05 01:59:21
ComboFix4.txt 2008-07-14 09:41:00
ComboFix5.txt 2008-07-18 10:08:43

Pre-Run: 27,781,345,280 bytes free
Post-Run: 27,968,319,488 bytes free

227 --- E O F --- 2008-07-09 08:09:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:11 AM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\AOL\1167533480\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\America Online 9.0\waol.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcsync.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1214824509765
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JS...ws-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

--
End of file - 10816 bytes

**amateur** · 07-19-2008, 07:38 AM

Hi Myst05,

You're welcome.

Quote:

The only thing I was not sure about was if I was supposed to register when I did the copy/paste/send of the txt file to mybleepingcomputer.com.

No, you didn't need to. The file is received. Thank you.

=================================

I see you have Viewpoint installed. Please read this article: http://www.clickz.com/news/article.php/3561546
Unless you are using AOL as an ISP, I would recommend removing it. You can download the Viewpoint killer from the link below and follow the prompts.
http://www.prprogramsstudios.tk/

=================================

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

==================================

Please post back the Kaspersky scan results and let me know how the computer is running now.

Myst05 · 07-26-2008, 03:51 AM

Hello Amateur and once again... THANK YOU for ALL of your help! I have copied the Kaspersky text which I ran a few days ago and like you said... am trying not to panic with all that it found The computer is running much better. I do have another question... when I did windows recovery console.. I chose windows XP sp1... because I was unsure which one to choose but after viewing some of the information that I am sending to you... should I have chosen windows XP sp2?

Once again.. THANK YOU!!! You were awesome in all your help and in explaining what I needed to do.

Sincerely,
MYST05-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 22, 2008 5:53:15 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/07/2008
Kaspersky Anti-Virus database records: 983940
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 79230
Number of viruses found: 12
Number of infected objects: 83
Number of suspicious objects: 0
Duration of the scan process: 02:57:59

Infected Object Name / Virus Name / Last Action
C:\186.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\186.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\186.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
C:\186.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
C:\186.tmp NSIS: infected - 4 skipped
C:\1F0.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\1F0.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\1F0.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.apq skipped
C:\1F0.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.apq skipped
C:\1F0.tmp NSIS: infected - 4 skipped
C:\1F4.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\1F4.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\1F4.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
C:\1F4.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
C:\1F4.tmp NSIS: infected - 4 skipped
C:\563.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\563.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\563.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.ctk skipped
C:\563.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ctk skipped
C:\563.tmp NSIS: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\mystyblueyz\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\mystyblueyz\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\CACHE\mystyblue00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\mystyblueyz Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\mystyblueyz.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\mystyblueyz.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\BFTS\BFTSDatabase.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.SearchIt.t skipped
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe WiseSFXDropper: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR31B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\[4]-Submit_2008-07-18@3.20.zip/pjogcehu.dll Infected: Trojan.Win32.Mondera.gen skipped
C:\Documents and Settings\Owner\Desktop\[4]-Submit_2008-07-18@3.20.zip/vnorlxrh.dll Infected: Trojan.Win32.Mondera.gen skipped
C:\Documents and Settings\Owner\Desktop\[4]-Submit_2008-07-18@3.20.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.dfd Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.did Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.dsd Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kdb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kdl Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kib Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kpf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.ksb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\49.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\hsperfdata_Owner\3264 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\Perflib_Perfdata_c28.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.SearchIt.t skipped
C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe WiseSFX: infected - 1 skipped
C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe WiseSFXDropper: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aqdjqn.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\egmdtnuj.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fqzpva.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\irdqxrrt.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kxrhferb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJCstts.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.zew skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lsvyyjxa.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\moecegjj.dll.vir Infected: Trojan.Win32.Mondera.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mphrjmse.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qltaib.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rdacwpat.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rjjksh.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sjuhtimw.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\taidpjoy.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tgdpblhp.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tjmanfvo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tulvnw.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\unvdtdxb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xfnnaeph.dll.vir Infected: Trojan.Win32.Mondera.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zyxspp.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP432\A0205601.dll Infected: Trojan.Win32.Mondera.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP433\A0206622.dll Infected: Trojan.Win32.Mondera.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP433\A0207659.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zpq skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP434\A0207709.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP434\A0208992.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP436\A0209356.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP436\A0209357.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP436\A0209358.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP437\A0209420.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP437\A0209421.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP437\A0209422.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP438\A0209473.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP438\A0209474.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP438\A0209475.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211039.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211040.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211041.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211042.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211044.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zew skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211048.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211049.dll Infected: Trojan.Win32.Mondera.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211050.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211052.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211053.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211054.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211056.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211058.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211059.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211060.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211062.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211063.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211064.dll Infected: Trojan.Win32.Mondera.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP440\A0211065.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP445\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_AnOEudOhAQJ3EoB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_U7gYhIz3eccHL2A Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**amateur** · 07-26-2008, 05:37 AM

Hi,

Quote:

when I did windows recovery console.. I chose windows XP sp1... because I was unsure which one to choose but after viewing some of the information that I am sending to you... should I have chosen windows XP sp2?

Yes, you should. Your system is Microsoft Windows XP Home Edition SP2. However, no harm has been done, but if you ever need the Recovery Console in future, it's better to have the correct one installed. We'll do that in the next post. Let's check the present situation first.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

type "C:\boot.ini">C:\look.txt
Start notepad C:\Look.txt
del peek.bat

Save this as peek.bat to your desktop. Choose to "Save type as - All Files"
It should look like this:

Double click on peek.bat & allow it to run. A notepad file will open. Please copy and post the contents of that file in your next reply, and close the file.

===================================

You can delete the [4]-Submit_2008-07-18@3.20.zip now.

====================================

Please delete the following files:

C:\186.tmp
C:\1F0.tmp
C:\1F4.tmp
C:\563.tmp

I am not sure about the following files flagged by Kaspersky. Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Then, do the same for this one too:

C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe

======================================

Please let me know how all that went and results from Jotti

Myst05 · 07-27-2008, 03:23 AM

Hi there Amateur I sure hope you know how much YOU ARE APPRECIATED! THANK YOU for ALL OF YOUR HELP I deleted the files as requested in your instructions:
[4]-Submit_2008-07-18@3.20.zip and C:\186.tmp C:\1F0.tmp C:\1F4.tmp C:\563.tmp

Below are the results from the peek.bat:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /forceresetreg /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Results from the 1st Virusscan.jotti for C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: toolbr.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 0bdec31d2a20a02d17302e97dd74a585
Packers detected: WISESFXDROPPER

Scanner results
Scan taken on 27 Jul 2008 08:24:13 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found AdWare.W32.SearchIt.t
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t (4, 1, 400)
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.SearchIt.t

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------

Statistics
Last file scanned at least one scanner reported something about: Tibia_Nuclear_Logger.rar (MD5: 54c175762aea1904ee34b111c4b137ef, size: 105372 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Delf.dhj.6
ArcaVir Trojan.Delf.Dhj
Avast Win32:Trojan-gen {Other}
AVG Antivirus Generic10.AXKK
BitDefender BehavesLike:Win32.Malware
ClamAV Trojan.Delf-6151
CPsecure Troj.W32.Delf.dhj
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.Delf.dhj
Fortinet X
Ikarus BehavesLike.Win32.Malware
Kaspersky Anti-Virus Trojan.Win32.Delf.dhj
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Trojan.Win32.Delf.dhj

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

Frequently asked questions - Feedback - Privacy policy

Page generated by JTPL

© 2004-2008 Jotti <jotti@jotti.org>

2nd scan C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe/
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: AOLToolbarSetup.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 0bdec31d2a20a02d17302e97dd74a585
Packers detected: WISESFXDROPPER

Scanner results
Scan taken on 27 Jul 2008 08:52:30 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found AdWare.W32.SearchIt.t
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t (4, 1, 400)
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.SearchIt.t

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------

Statistics
Last file scanned at least one scanner reported something about: 1450 (MD5: 623d22da4f1e44c388b032cb692f77db, size: 36864 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir Trojan.Vb.Cdb
Avast Win32:Trojan-gen {Other}
AVG Antivirus Dropper.VB.3.BS
BitDefender Trojan.Agent.VB.Gen
ClamAV X
CPsecure Troj.Dropper.W32.Binder.c
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Trojan-Dropper.Binder.X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

Frequently asked questions - Feedback - Privacy policy

Page generated by JTPL

© 2004-2008 Jotti <jotti@jotti.org>

Thank you and I hope you have a great weekend!

Take Care,
MYST05

**amateur** · 07-27-2008, 05:41 AM

Hi,

You are welcome. Thanks for the appreciation.

I still believe that those files flagged by Kaspersky are false positives, but I'll leave it to you to decide weather to delete them or not.

=============================

Uninstalling Recovery Console:

Please check and make sure that this file is present - C:\Boot.bak.
It is a backup of the machine's previous Boot.ini. Do not proceed if it's not present

1) Right click on current copy of C:\Boot.ini & select 'Properties'. Then remove the file's 'Read-Only' attibute

2) Rename C:\Boot.ini to C:\Boot.old (Do not delete it)

3) Rename C:\Boot.bak to C:\Boot.ini

4) Right click on the new C:\Boot.ini & select 'Properties'. Then make the file 'Read-Only'

5) Reboot the machine. You will note that the Recovery Console is no longer an option on the Boot Menu

6) Delete the folder - C:\CmdCons

7) Delete C:\Boot.old

WARNING - Failure to strictly adhere to the above instructions may result in an unbootable machine.

Next, go here and download the Recovery Console file, and save it to your desktop. Please make sure that you save it as it's originally named and place it next to Combofix on your desktop.

Close all open windows and programs
Drag and drop the setup package onto ComboFix.exe
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Myst05 · 07-28-2008, 02:07 AM

Hello Amateur... I hope you had a good weekend!

This is just a short reply as I want to make sure I am clear on renaming the C:\Boot.ini as when I did a search for it, it came up as C:\Boot.ini.backup

Do I still rename C:\Boot.ini to C:\Boot.old? Just need to make sure I am doing this correctly.

Thank you,

MYST05

**amateur** · 07-28-2008, 02:33 AM

It's now my time to make it clear

Do you mean that there's only one C:\Boot.ini file and that's C:\Boot.ini.backup, No C:\Boot.ini?

Do you have your system set to show the hidden files?

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Myst05 · 07-31-2008, 01:07 AM

Hi Amateur Thank you for clarifying what I needed to do to find C:\Boot.ini and I did exactly what you instructed and I found it... lol.. Thank you.

I followed all of your instructions... to uninstall Recovery Console and it all went perfect as did the install of the correct Recovery Console.

I cannot thank you enough for all of your help and in explaining everything so that I could understand and follow!

If there is anything more I need to do please let me know.

Again, Thank you for being there and taking the time to help people like me feel confident in tackling cleaning up computer threats and problems!

Take Care,

MYST05

**amateur** · 07-31-2008, 02:37 AM

Hi,

That's perfect. You're very welcome.

If you have no further malware issues, you're set to go.

Click Start then Run
Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Some tips on the prevention of malware here by a colleague of ours.

Surf safely!

07-10-2008, 03:38 AM	#2 (permalink)
Myst05 Registered User Join Date: Jun 2008 Posts: 8 OS: windowsxp	Re: Frustrated with a persistant Trojan that rewrites itself!!! BUMP, please

07-11-2008, 06:51 AM	#3 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,472 OS: XP SP3	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hello and welcome to TSF. Sorry for the delay in response. The forum is really busy. Looks like you've run Combofix. ComboFix is an extremely powerful tool and should only be used when instructed by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. http://i266.photobucket.com/albums/i...er_ENU_B-1.gif If you have used it with the instruction of a trained analyst, please give us the link so that we may know what has transpired prior to posting here. Post the combofix.txt in your next reply please. (C:\Combofix.txt) ===================================== Please scan with HijackThis and put a checkmark against the following entries: R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) Close all browsers and windows other than HijackThis and click on "fix checked". ===================================== Restart the computer and post a fresh HijackThis log along with the Combofix.txt __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

07-14-2008, 03:59 AM	#4 (permalink)
Myst05 Registered User Join Date: Jun 2008 Posts: 8 OS: windowsxp	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hello Amateur and thank you for your very helpful response!!! I did as you instructed in your response post and have included a fresh post of Hijack this along with Combofix.txt I will be perfectly honest in saying I was not instructed to run a combofix.. It was in my search to delete the trojan that I read about combofix so I hope I didn't do MAJOR DAMAGE to my computer... I have also included the combofix quarantined files.. Again I would like to thank you for your help. Sincerely, Myst05 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:37:28 AM, on 7/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\WINDOWS\System32\igfxtray.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TPSMain.exe C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ezSP_Px.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\America Online 9.0\waol.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe c:\toshiba\ivp\swupdate\swupdtmr.exe C:\Program Files\Common Files\AOL\1167533480\ee\aolsoftware.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\America Online 9.0\shellmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1214824509765 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JS...ws-i586-jc.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe -- End of file - 10891 bytes Combofix.txt(s) 2007-04-25 21:30 29184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir 2007-09-23 17:05 279600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir 2007-11-27 18:45 1011 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk.vir 2008-01-08 21:44 28747 --a------ C:\Qoobox\Quarantine\C\Temp\1cb\syscheck.log.vir 2008-06-20 23:44 16464 --a------ C:\Qoobox\Quarantine\C\csrss.exe.vir 2008-06-20 23:53 301568 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJCstts.dll.vir 2008-06-21 02:41 1696381 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vthovgsa.ini.vir 2008-06-21 23:31 128512 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xfnnaeph.dll.vir 2008-06-21 23:41 130560 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\moecegjj.dll.vir 2008-06-23 23:53 1696561 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vmclwncg.ini.vir 2008-06-25 16:33 1719143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pqugvpre.ini.vir 2008-06-25 16:33 94720 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lsvyyjxa.dll.vir 2008-06-25 16:42 108032 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\irdqxrrt.dll.vir 2008-06-25 21:08 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir 2008-06-26 21:19 3030714 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\afdftssp.ini.vir 2008-06-26 21:20 95744 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tgdpblhp.dll.vir 2008-06-26 21:26 108032 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\taidpjoy.dll.vir 2008-06-27 22:45 3011419 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ntusajuf.ini.vir 2008-06-27 23:44 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sjuhtimw.dll.vir 2008-06-27 23:50 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fqzpva.dll.vir 2008-06-27 23:50 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rdacwpat.dll.vir 2008-06-28 16:36 1413 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir 2008-06-29 00:04 3019398 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kppxlsll.ini.vir 2008-06-29 00:05 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sdjdekvl.dll.vir 2008-06-29 00:12 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\aqdjqn.dll.vir 2008-06-29 00:12 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kxrhferb.dll.vir 2008-06-30 00:12 3012816 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pgdwbpvu.ini.vir 2008-06-30 00:17 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rjjksh.dll.vir 2008-06-30 00:17 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\unvdtdxb.dll.vir 2008-07-02 00:32 94720 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tuihcxms.dll.vir 2008-07-02 00:33 110321 --a------ C:\Qoobox\Quarantine\C\WINDOWS\BMbfc81020.xml.vir 2008-07-02 00:36 3018846 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ltmffowg.ini.vir 2008-07-02 00:40 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mphrjmse.dll.vir 2008-07-02 00:40 104448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\zyxspp.dll.vir 2008-07-03 00:45 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\egmdtnuj.dll.vir 2008-07-03 00:45 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qltaib.dll.vir 2008-07-03 00:47 2683632 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wnjnypcn.ini.vir 2008-07-03 00:50 86016 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qfcfitpw.dll.vir 2008-07-04 02:25 22 --a------ C:\Qoobox\Quarantine\C\WINDOWS\pskt.ini.vir 2008-07-04 02:25 39332 --a------ C:\Qoobox\Quarantine\C\WINDOWS\BMbfc81020.txt.vir 2008-07-04 02:27 3229899 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wptifcfq.ini.vir 2008-07-04 02:27 87040 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\krfdynmi.dll.vir 2008-07-04 02:31 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tjmanfvo.dll.vir 2008-07-04 02:31 104960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tulvnw.dll.vir 2008-07-04 02:41 650889 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sttsCJjl.ini2.vir 2008-07-04 02:42 1695341 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\imnydfrk.ini.vir 2008-07-04 02:42 650889 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sttsCJjl.ini.vir 2008-07-04 04:21 210 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_TnIDriver.reg.dat 2008-07-04 05:17 103 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-07-04 05:17 138 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-ISMModule6.reg.dat 2008-07-04 05:17 146 --a------ C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{4E06327D-0415-475F-898B-6ACFB316073E}.reg.dat 2008-07-04 05:17 149 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-bcfb23bc.reg.dat 2008-07-04 05:17 150 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-BMbfc81020.reg.dat 2008-07-04 05:17 150 --a------ C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-ALUAlert.reg.dat 2008-07-04 05:17 151 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-BMbfc81020.reg.dat 2008-07-04 05:17 1690 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{8C6D5A56-791E-4fe8-9D64-81781FA15D68}.reg.dat 2008-07-04 19:26 216 --a------ C:\Qoobox\Quarantine\catchme.log ComboFix 08-07-03.3 - Owner 2008-07-04 18:38:11.3 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 ))))))))))))))))))))))))))))))) . 2008-07-03 00:47 . 2008-07-03 00:47 0 --a------ C:\WINDOWS\system32\wnjnypcn.tmp 2008-06-30 05:02 . 2008-06-30 05:04 <DIR> d-------- C:\microsoft updates 2008-06-30 03:43 . 2008-07-03 02:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-30 03:42 . 2008-07-03 02:07 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-30 00:42 . 2008-06-30 00:42 <DIR> d-------- C:\Program Files\Panda Security 2008-06-29 01:24 . 2008-06-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-28 17:25 . 2003-11-20 17:28 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\WINDOWS 2008-06-28 17:25 . 2003-11-20 18:32 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\toshiba 2008-06-28 17:25 . 2003-11-20 18:34 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Symantec 2008-06-28 17:25 . 2003-11-21 11:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterVideo 2008-06-28 17:25 . 2003-11-20 17:59 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterTrust 2008-06-28 17:25 . 2003-11-20 18:52 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Drag'n Drop CD+DVD 2008-06-28 17:25 . 2008-06-28 17:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS 2008-06-28 15:41 . 2008-06-28 15:41 <DIR> d-------- C:\VundoFix Backups 2008-06-25 21:57 . 2008-06-25 22:00 <DIR> d-------- C:\Program Files\microsoft malicious software removal tool 2008-06-25 21:01 . 2008-07-04 18:35 20,619 --a------ C:\WINDOWS\system32\Config.MPF 2008-06-25 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-06-25 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-06-25 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-06-25 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-06-25 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-06-25 19:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-06-25 19:28 . 2008-06-27 04:14 <DIR> d-------- C:\mcafee_mcpr 2008-06-25 19:21 . 2008-06-27 22:38 <DIR> d-------- C:\Program Files\McAfee 2008-06-25 17:53 . 2008-06-25 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-25 17:48 . 2008-06-25 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-24 23:06 . 2008-06-24 23:06 131,584 --a------ C:\WINDOWS\system32\vnorlxrh.dll 2008-06-23 23:57 . 2008-06-23 23:57 131,584 --a------ C:\WINDOWS\system32\pjogcehu.dll 2008-06-20 23:46 . 2008-06-28 05:14 <DIR> d-------- C:\WINDOWS\system32\mir 2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\jdam 2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\49a 2008-06-20 23:44 . 2008-06-28 15:01 <DIR> d-------- C:\WINDOWS\system32\modtrux05 2008-06-20 23:44 . 2008-06-20 23:44 <DIR> d-------- C:\Temp\syschk3 2008-06-20 23:44 . 2008-06-20 23:44 44,544 --a------ C:\WINDOWS\system32\geBtRhiG.dll 2008-06-11 03:22 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-04 09:19 --------- d-----w C:\Program Files\Pure Networks 2008-06-30 07:05 --------- d-----w C:\Program Files\Viewpoint 2008-06-30 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-29 01:34 --------- d-----w C:\Program Files\Java 2008-06-27 11:14 --------- d-----w C:\Program Files\Common Files\McAfee 2008-06-27 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-26 04:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-26 04:18 --------- d-----w C:\Program Files\mcafee.com 2008-06-26 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-26 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL 2008-06-26 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-06-26 02:03 --------- d-----w C:\Program Files\Common Files\AOL 2008-06-26 01:03 --------- d-----w C:\Program Files\Lavasoft 2008-06-26 00:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys . ((((((((((((((((((((((((((((( snapshot@2008-07-04_ 5.17.20.39 ))))))))))))))))))))))))))))))))))))))))) . - 2008-07-04 11:55:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-07-04 20:14:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-07-05 01:39:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-07-05 01:39:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-07-05 01:39:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-07-04 21:38:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776] "AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" [2005-07-12 07:17 50776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 17:16 172032] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 18:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904] "B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 06:38 1380352] "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50 71216] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-04 04:18 98304] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "HostManager"="C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe" [2006-09-25 17:52 50736] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] "AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe] "TFNF5"="TFNF5.exe" [2003-10-15 17:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [2003-11-19 22:15 278528 C:\WINDOWS\system32\TPSMain.exe] "000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 0258 28672] Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2004-12-08 15:50 67160 C:\Program Files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "MPFExe"=C:\Program Files\mcafee.com\personal firewall\MPfTray.exe "EmailScan"=C:\Program Files\mcafee.com\antivirus\mcvsescn.exe "OASClnt"=C:\Program Files\mcafee.com\antivirus\oasclnt.exe "WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" "AOLSPScheduler"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe "ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe "sscRun"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe "00THotkey"=C:\WINDOWS\System32\00THotkey.exe "ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe"= "C:\\Program Files\\America Online 9.0\\waol.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"= "C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07] R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50] R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 00:54] S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 12:12] Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder "2005-08-06 05:32:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1108276221.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe "2008-06-26 02:27:22 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2008-07-01 08:00:02 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-04 18:46:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2008-07-04 18:59:19 ComboFix-quarantined-files.txt 2008-07-05 01:58:07 ComboFix2.txt 2008-07-04 21:13:21 ComboFix3.txt 2008-07-04 12:19:43 Pre-Run: 28,180,295,680 bytes free Post-Run: 28,168,781,824 bytes free 181 --- E O F --- 2008-06-20 04:03:04 ComboFix 08-07-03.3 - Owner 2008-07-04 3:56:25.1 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\csrss.exe C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\WINDOWS\BMbfc81020.txt C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\afdftssp.ini C:\WINDOWS\system32\aqdjqn.dll C:\WINDOWS\system32\b10 C:\WINDOWS\system32\egmdtnuj.dll C:\WINDOWS\system32\fqzpva.dll C:\WINDOWS\system32\imnydfrk.ini C:\WINDOWS\system32\irdqxrrt.dll C:\WINDOWS\system32\kppxlsll.ini C:\WINDOWS\system32\krfdynmi.dll C:\WINDOWS\system32\kxrhferb.dll C:\WINDOWS\system32\ljJCstts.dll C:\WINDOWS\system32\lsvyyjxa.dll C:\WINDOWS\system32\ltmffowg.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\moecegjj.dll C:\WINDOWS\system32\mphrjmse.dll C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\ntusajuf.ini C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\pgdwbpvu.ini C:\WINDOWS\system32\pqugvpre.ini C:\WINDOWS\system32\qfcfitpw.dll C:\WINDOWS\system32\qltaib.dll C:\WINDOWS\system32\rdacwpat.dll C:\WINDOWS\system32\rjjksh.dll C:\WINDOWS\system32\sdjdekvl.dll C:\WINDOWS\system32\sjuhtimw.dll C:\WINDOWS\system32\sttsCJjl.ini C:\WINDOWS\system32\sttsCJjl.ini2 C:\WINDOWS\system32\taidpjoy.dll C:\WINDOWS\system32\tgdpblhp.dll C:\WINDOWS\system32\tjmanfvo.dll C:\WINDOWS\system32\tuihcxms.dll C:\WINDOWS\system32\tulvnw.dll C:\WINDOWS\system32\unvdtdxb.dll C:\WINDOWS\system32\vmclwncg.ini C:\WINDOWS\system32\vthovgsa.ini C:\WINDOWS\system32\wnjnypcn.ini C:\WINDOWS\system32\wptifcfq.ini C:\WINDOWS\system32\xfnnaeph.dll C:\WINDOWS\system32\zyxspp.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TnIDriver ((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 ))))))))))))))))))))))))))))))) . 2008-07-03 00:47 . 2008-07-03 00:47 0 --a------ C:\WINDOWS\system32\wnjnypcn.tmp 2008-06-30 05:02 . 2008-06-30 05:04 <DIR> d-------- C:\microsoft updates 2008-06-30 03:43 . 2008-07-03 02:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-30 03:42 . 2008-07-03 02:07 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-30 00:42 . 2008-06-30 00:42 <DIR> d-------- C:\Program Files\Panda Security 2008-06-29 01:24 . 2008-06-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-28 17:25 . 2003-11-20 17:28 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\WINDOWS 2008-06-28 17:25 . 2003-11-20 18:32 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\toshiba 2008-06-28 17:25 . 2003-11-20 18:34 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Symantec 2008-06-28 17:25 . 2003-11-21 11:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterVideo 2008-06-28 17:25 . 2003-11-20 17:59 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterTrust 2008-06-28 17:25 . 2003-11-20 18:52 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Drag'n Drop CD+DVD 2008-06-28 17:25 . 2008-06-28 17:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS 2008-06-28 15:41 . 2008-06-28 15:41 <DIR> d-------- C:\VundoFix Backups 2008-06-25 21:57 . 2008-06-25 22:00 <DIR> d-------- C:\Program Files\microsoft malicious software removal tool 2008-06-25 21:01 . 2008-07-04 04:53 20,619 --a------ C:\WINDOWS\system32\Config.MPF 2008-06-25 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-06-25 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-06-25 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-06-25 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-06-25 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-06-25 19:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-06-25 19:28 . 2008-06-27 04:14 <DIR> d-------- C:\mcafee_mcpr 2008-06-25 19:21 . 2008-06-27 22:38 <DIR> d-------- C:\Program Files\McAfee 2008-06-25 17:53 . 2008-06-25 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-25 17:48 . 2008-06-25 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-24 23:06 . 2008-06-24 23:06 131,584 --a------ C:\WINDOWS\system32\vnorlxrh.dll 2008-06-23 23:57 . 2008-06-23 23:57 131,584 --a------ C:\WINDOWS\system32\pjogcehu.dll 2008-06-21 23:31 . 2008-07-02 00:33 110,321 --a------ C:\WINDOWS\BMbfc81020.xml 2008-06-20 23:46 . 2008-06-28 05:14 <DIR> d-------- C:\WINDOWS\system32\mir 2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\jdam 2008-06-20 23:46 . 2008-06-25 18:41 <DIR> d-------- C:\WINDOWS\system32\49a 2008-06-20 23:44 . 2008-06-28 15:01 <DIR> d-------- C:\WINDOWS\system32\modtrux05 2008-06-20 23:44 . 2008-06-20 23:44 <DIR> d-------- C:\Temp\syschk3 2008-06-20 23:44 . 2008-06-20 23:44 44,544 --a------ C:\WINDOWS\system32\geBtRhiG.dll 2008-06-11 03:22 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-04 09:19 --------- d-----w C:\Program Files\Pure Networks 2008-06-30 07:05 --------- d-----w C:\Program Files\Viewpoint 2008-06-30 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-29 01:34 --------- d-----w C:\Program Files\Java 2008-06-27 11:14 --------- d-----w C:\Program Files\Common Files\McAfee 2008-06-27 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-26 04:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-26 04:18 --------- d-----w C:\Program Files\mcafee.com 2008-06-26 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-26 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL 2008-06-26 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-06-26 02:03 --------- d-----w C:\Program Files\Common Files\AOL 2008-06-26 01:03 --------- d-----w C:\Program Files\Lavasoft 2008-06-26 00:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776] "AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" [2005-07-12 07:17 50776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 17:16 172032] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 18:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904] "B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 06:38 1380352] "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50 71216] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-04 04:18 98304] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "HostManager"="C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe" [2006-09-25 17:52 50736] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] "AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe] "TFNF5"="TFNF5.exe" [2003-10-15 17:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [2003-11-19 22:15 278528 C:\WINDOWS\system32\TPSMain.exe] "000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 0258 28672] Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2004-12-08 15:50 67160 C:\Program Files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "MPFExe"=C:\Program Files\mcafee.com\personal firewall\MPfTray.exe "EmailScan"=C:\Program Files\mcafee.com\antivirus\mcvsescn.exe "OASClnt"=C:\Program Files\mcafee.com\antivirus\oasclnt.exe "WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" "AOLSPScheduler"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe "ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe "sscRun"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe "00THotkey"=C:\WINDOWS\System32\00THotkey.exe "ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe"= "C:\\Program Files\\America Online 9.0\\waol.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"= "C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07] R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50] R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 00:54] S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 12:12] . Contents of the 'Scheduled Tasks' folder "2005-08-06 05:32:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1108276221.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2008-06-26 02:27:22 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2008-07-01 08:00:02 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe . - - - - ORPHANS REMOVED - - - - BHO-{8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll HKCU-Run-ISMModule6 - C:\Program Files\ISM\ISMModule6.exe HKCU-Run-BMbfc81020 - C:\WINDOWS\system32\lsvyyjxa.dll HKLM-Run-BMbfc81020 - C:\WINDOWS\system32\lsvyyjxa.dll HKLM-Run-bcfb23bc - C:\WINDOWS\system32\krfdynmi.dll HKLM-Run-TFncKy - TFncKy.exe HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe ShellExecuteHooks-{4E06327D-0415-475F-898B-6ACFB316073E} - (no file) ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-04 04:57:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\PROGRA~1\mcafee.com\Agent\mcagent.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint2K\ApntEx.exe C:\Program Files\America Online 9.0\waol.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe C:\Program Files\America Online 9.0\shellmon.exe . ************************************************************************ . Completion time: 2008-07-04 5:19:38 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2008-07-04 12:18:16 Pre-Run: 28,086,677,504 bytes free Post-Run: 28,112,531,456 bytes free 261 --- E O F --- 2008-06-20 04:03:04

07-19-2008, 01:52 AM	#6 (permalink)
Myst05 Registered User Join Date: Jun 2008 Posts: 8 OS: windowsxp	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hello and thank you again Amateur for ALL OF YOUR HELP!!! I have read and followed through with all of the instructions that you sent to me. The only thing I was not sure about was if I was supposed to register when I did the copy/paste/send of the txt file to mybleepingcomputer.com. Below is a new Combofix.txt file as well as as a new Hijack This log file that you requested for review. Again......... THANK YOU!!!! Myst05 ComboFix 08-07-17.4 - Owner 2008-07-18 3:21:55.5 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\wnjnypcn.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\syschk3 C:\Temp\syschk3\tdirp5.log C:\VundoFix Backups C:\WINDOWS\system32\49a C:\WINDOWS\system32\jdam C:\WINDOWS\system32\mir C:\WINDOWS\system32\modtrux05 C:\WINDOWS\system32\pjogcehu.dll C:\WINDOWS\system32\vnorlxrh.dll C:\WINDOWS\system32\wnjnypcn.tmp . ((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 ))))))))))))))))))))))))))))))) . 2008-07-05 01:45 . 2008-07-05 01:45 <DIR> d-------- C:\Deckard 2008-07-04 23:33 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-06-30 05:02 . 2008-06-30 05:04 <DIR> d-------- C:\microsoft updates 2008-06-30 03:43 . 2008-07-11 01:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-30 03:42 . 2008-07-03 02:07 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-30 00:42 . 2008-06-30 00:42 <DIR> d-------- C:\Program Files\Panda Security 2008-06-29 01:24 . 2008-06-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-28 17:25 . 2003-11-20 17:28 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\WINDOWS 2008-06-28 17:25 . 2003-11-20 18:32 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\toshiba 2008-06-28 17:25 . 2003-11-20 18:34 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Symantec 2008-06-28 17:25 . 2003-11-21 11:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterVideo 2008-06-28 17:25 . 2003-11-20 17:59 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\InterTrust 2008-06-28 17:25 . 2003-11-20 18:52 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS\Application Data\Drag'n Drop CD+DVD 2008-06-28 17:25 . 2008-06-28 17:25 <DIR> d-------- C:\Documents and Settings\Administrator.THEHADDADS 2008-06-25 21:57 . 2008-06-25 22:00 <DIR> d-------- C:\Program Files\microsoft malicious software removal tool 2008-06-25 21:01 . 2008-07-18 03:32 20,797 --a------ C:\WINDOWS\system32\Config.MPF 2008-06-25 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-06-25 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-06-25 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-06-25 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-06-25 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-06-25 19:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-06-25 19:28 . 2008-06-27 04:14 <DIR> d-------- C:\mcafee_mcpr 2008-06-25 19:21 . 2008-06-27 22:38 <DIR> d-------- C:\Program Files\McAfee 2008-06-25 17:53 . 2008-06-25 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-25 17:48 . 2008-06-25 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-04 09:19 --------- d-----w C:\Program Files\Pure Networks 2008-06-30 07:05 --------- d-----w C:\Program Files\Viewpoint 2008-06-30 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-29 01:34 --------- d-----w C:\Program Files\Java 2008-06-27 11:14 --------- d-----w C:\Program Files\Common Files\McAfee 2008-06-27 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-26 04:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-26 04:18 --------- d-----w C:\Program Files\mcafee.com 2008-06-26 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-26 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL 2008-06-26 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-06-26 02:03 --------- d-----w C:\Program Files\Common Files\AOL 2008-06-26 01:03 --------- d-----w C:\Program Files\Lavasoft 2008-06-26 00:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys . ((((((((((((((((((((((((((((( snapshot@2008-07-04_ 5.17.20.39 ))))))))))))))))))))))))))))))))))))))))) . - 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-07-18 07:24:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-07-04 08:46:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-07-18 07:24:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll + 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll - 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys + 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys - 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys + 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys - 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll + 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll - 2008-05-29 23:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe + 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe - 2004-08-04 07:56:44 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll + 2008-06-20 17:41:10 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll - 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll + 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776] "AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.EXE" [2005-07-12 07:17 50776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07 114688] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 17:16 172032] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 18:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904] "B'sCLiP"="C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-11-05 06:38 1380352] "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50 71216] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-04 04:18 98304] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "HostManager"="C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe" [2006-09-25 17:52 50736] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] "AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe] "TFNF5"="TFNF5.exe" [2003-10-15 17:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [2003-11-19 22:15 278528 C:\WINDOWS\system32\TPSMain.exe] "000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 0258 28672] Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2004-12-08 15:50 67160 C:\Program Files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "MPFExe"=C:\Program Files\mcafee.com\personal firewall\MPfTray.exe "EmailScan"=C:\Program Files\mcafee.com\antivirus\mcvsescn.exe "OASClnt"=C:\Program Files\mcafee.com\antivirus\oasclnt.exe "WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" "AOLSPScheduler"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe "ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe "sscRun"=C:\Program Files\Common Files\AOL\1136373225\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe "00THotkey"=C:\WINDOWS\System32\00THotkey.exe "ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\AOL\\1167533480\\ee\\aolsoftware.exe"= "C:\\Program Files\\America Online 9.0\\waol.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"= "C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"= "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07] R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R2 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50] R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;C:\WINDOWS\system32\DRIVERS\WPC54Gv3.SYS [2006-12-01 00:54] S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 12:12] . Contents of the 'Scheduled Tasks' folder "2005-08-06 05:32:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1108276221.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2008-07-15 08:00:07 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2008-07-01 08:00:02 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-18 03:34:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\PROGRA~1\mcafee.com\Agent\mcagent.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Apoint2K\ApntEx.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\America Online 9.0\shellmon.exe . ************************************************************************ . Completion time: 2008-07-18 3:59:02 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2008-07-18 10:57:36 ComboFix2.txt 2008-07-05 02:35:35 ComboFix3.txt 2008-07-05 01:59:21 ComboFix4.txt 2008-07-14 09:41:00 ComboFix5.txt 2008-07-18 10:08:43 Pre-Run: 27,781,345,280 bytes free Post-Run: 27,968,319,488 bytes free 227 --- E O F --- 2008-07-09 08:09:27 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:24:11 AM, on 7/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\MPF\MPFSrv.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe c:\toshiba\ivp\swupdate\swupdtmr.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TPSMain.exe C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Common Files\AOL\1167533480\ee\aolsoftware.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\America Online 9.0\waol.exe c:\PROGRA~1\mcafee.com\agent\McUpdate.exe C:\PROGRA~1\McAfee\MSC\mcsync.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167533480\ee\AOLSoftware.exe O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1214824509765 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JS...ws-i586-jc.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe -- End of file - 10816 bytes

07-27-2008, 03:23 AM	#10 (permalink)
Myst05 Registered User Join Date: Jun 2008 Posts: 8 OS: windowsxp	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hi there Amateur I sure hope you know how much YOU ARE APPRECIATED! THANK YOU for ALL OF YOUR HELP I deleted the files as requested in your instructions: [4]-Submit_2008-07-18@3.20.zip and C:\186.tmp C:\1F0.tmp C:\1F4.tmp C:\563.tmp Below are the results from the peek.bat: [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /forceresetreg /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons *Results from the 1st Virusscan.jotti for C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe* Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 File to upload & scan: Service Service load: 0% 100% File: toolbr.exe Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: 0bdec31d2a20a02d17302e97dd74a585 Packers detected: WISESFXDROPPER Scanner results Scan taken on 27 Jul 2008 08:24:13 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found AdWare.W32.SearchIt.t Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t (4, 1, 400) Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found AdWare.Win32.SearchIt.t Powered by Disclaimer This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service. Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita. Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware. Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample. Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all. Sponsored by HotelScraper.com. -------------------------------------------------------------------------------- Statistics Last file scanned at least one scanner reported something about: Tibia_Nuclear_Logger.rar (MD5: 54c175762aea1904ee34b111c4b137ef, size: 105372 bytes), detected by: Scanner Malware name A-Squared X AntiVir TR/Delf.dhj.6 ArcaVir Trojan.Delf.Dhj Avast Win32:Trojan-gen {Other} AVG Antivirus Generic10.AXKK BitDefender BehavesLike:Win32.Malware ClamAV Trojan.Delf-6151 CPsecure Troj.W32.Delf.dhj Dr.Web X F-Prot Antivirus X F-Secure Anti-Virus Trojan.Win32.Delf.dhj Fortinet X Ikarus BehavesLike.Win32.Malware Kaspersky Anti-Virus Trojan.Win32.Delf.dhj NOD32 probably unknown NewHeur_PE Norman Virus Control X Panda Antivirus X Sophos Antivirus X VirusBuster X VBA32 Trojan.Win32.Delf.dhj You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Frequently asked questions - Feedback - Privacy policy Page generated by JTPL © 2004-2008 Jotti <jotti@jotti.org> 2nd scan C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe/ Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 File to upload & scan: Service Service load: 0% 100% File: AOLToolbarSetup.exe Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: 0bdec31d2a20a02d17302e97dd74a585 Packers detected: WISESFXDROPPER Scanner results Scan taken on 27 Jul 2008 08:52:30 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found AdWare.W32.SearchIt.t Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t (4, 1, 400) Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.SearchIt.t NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found AdWare.Win32.SearchIt.t Powered by Disclaimer This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service. Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita. Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware. Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample. Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all. Sponsored by HotelScraper.com. -------------------------------------------------------------------------------- Statistics Last file scanned at least one scanner reported something about: 1450 (MD5: 623d22da4f1e44c388b032cb692f77db, size: 36864 bytes), detected by: Scanner Malware name A-Squared X AntiVir X ArcaVir Trojan.Vb.Cdb Avast Win32:Trojan-gen {Other} AVG Antivirus Dropper.VB.3.BS BitDefender Trojan.Agent.VB.Gen ClamAV X CPsecure Troj.Dropper.W32.Binder.c Dr.Web X F-Prot Antivirus X F-Secure Anti-Virus X Fortinet X Ikarus Trojan-Dropper.Binder.X Kaspersky Anti-Virus X NOD32 X Norman Virus Control X Panda Antivirus X Sophos Antivirus X VirusBuster X VBA32 X You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Frequently asked questions - Feedback - Privacy policy Page generated by JTPL © 2004-2008 Jotti <jotti@jotti.org> Thank you and I hope you have a great weekend! Take Care, MYST05

07-27-2008, 05:41 AM	#11 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,472 OS: XP SP3	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hi, You are welcome. Thanks for the appreciation. I still believe that those files flagged by Kaspersky are false positives, but I'll leave it to you to decide weather to delete them or not. ============================= Uninstalling Recovery Console: Please check and make sure that this file is present - C:\Boot.bak. It is a backup of the machine's previous Boot.ini. Do not proceed if it's not present 1) Right click on current copy of C:\Boot.ini & select 'Properties'. Then remove the file's 'Read-Only' attibute 2) Rename C:\Boot.ini to C:\Boot.old (Do not delete it) 3) Rename C:\Boot.bak to C:\Boot.ini 4) Right click on the new C:\Boot.ini & select 'Properties'. Then make the file 'Read-Only' 5) Reboot the machine. You will note that the Recovery Console is no longer an option on the Boot Menu 6) Delete the folder - C:\CmdCons 7) Delete C:\Boot.old WARNING - Failure to strictly adhere to the above instructions may result in an unbootable machine. Next, go here and download the Recovery Console file, and save it to your desktop. Please make sure that you save it as it's originally named and place it next to Combofix on your desktop. Close all open windows and programs Drag and drop the setup package onto ComboFix.exe Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

07-28-2008, 02:07 AM	#12 (permalink)
Myst05 Registered User Join Date: Jun 2008 Posts: 8 OS: windowsxp	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hello Amateur... I hope you had a good weekend! This is just a short reply as I want to make sure I am clear on renaming the C:\Boot.ini as when I did a search for it, it came up as C:\Boot.ini.backup Do I still rename C:\Boot.ini to C:\Boot.old? Just need to make sure I am doing this correctly. Thank you, MYST05

07-28-2008, 02:33 AM	#13 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,472 OS: XP SP3	Re: Frustrated with a persistant Trojan that rewrites itself!!! It's now my time to make it clear Do you mean that there's only one C:\Boot.ini file and that's C:\Boot.ini.backup, No C:\Boot.ini? Do you have your system set to show the hidden files? Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 07-28-2008 at 04:06 AM.

07-31-2008, 01:07 AM	#14 (permalink)
Myst05 Registered User Join Date: Jun 2008 Posts: 8 OS: windowsxp	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hi Amateur Thank you for clarifying what I needed to do to find C:\Boot.ini and I did exactly what you instructed and I found it... lol.. Thank you. I followed all of your instructions... to uninstall Recovery Console and it all went perfect as did the install of the correct Recovery Console. I cannot thank you enough for all of your help and in explaining everything so that I could understand and follow! If there is anything more I need to do please let me know. Again, Thank you for being there and taking the time to help people like me feel confident in tackling cleaning up computer threats and problems! Take Care, MYST05

07-31-2008, 02:37 AM	#15 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,472 OS: XP SP3	Re: Frustrated with a persistant Trojan that rewrites itself!!! Hi, That's perfect. You're very welcome. If you have no further malware issues, you're set to go. Click Start then Run Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the / This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points. Some tips on the prevention of malware *here* by a colleague of ours. Surf safely! __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006