Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Win32.trojan.qhost, Scprot4.exe


  • This topic is locked This topic is locked
25 replies to this topic

#1 simonlebon

simonlebon

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 29 February 2008 - 10:29 AM

Hi

I have a Toshiba A100 Laptop that uses Windows XP with Service Pack 2. I have been infected with Spyware and I can't seem to sort it out by following the instructions on the website.

I have run Ad-aware, Spybot Search and Destroy, I have used the Norton Internet Security I own and Norton Systemworks, and I have also used AVG Anit-Virus, Smitfraud, Stinger and Vundo Fix. All to no avail! Each time I reboot and run the scans again the same problems re-appear. I am contimuing to receive pop-ups and my PC is running more slowly than before.

When I scan my PC with Spbot, it returns the following problems:

22nd Street Computers
Virtumonde Crack
Virtumonde
Win.32.Qhost.abh
Zclock.uc

But, when I click on "Fix selected problems" option before the programme finishes the creen goes black and the keypad then becomes unresponsive, and I have to re-boot.

When I scan my PC with Ad-aware, it returns the following problems:
  • Win.32.Trojan.Qhost
  • Vir
tumonde

I select the "remove problems" or "quarantine problems" options, and each time it tells me they have been removed. I reoot, run Ad-aware again and the same problems are returned by the scan. So Ad-awre is not having any effect as far a I can see.

I know that SecCentre is also in my Program files folder. I have managed to delete this on occassion but after I reboot it inevitably returns to my Program fiels folder again. I also had a problem with Ucleaner a couple of months ago. I followed the steps on the forum and the pop-ups in the corner of the creen ceased for a few days, but they have now been replaced by other, equally annoying pop-ups (balloon pop-ups telling me I am infected with spyware). I also have Scprot4.exe running as a background process and I know that isn't a good thing!

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17:38, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray .exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy .exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc .exe
C:\Program Files\Toshiba\ConfigFree\CFSServ .exe
C:\Program Files\BroadJump\Client Foundation\CFD .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\TOOLSCD\Display Driver\Intel\Win2000\igfxtray .exe
C:\TOOLSCD\Display Driver\Intel\Win2000\hkcmd .exe
C:\TOOLSCD\Display Driver\Intel\Win2000\igfxpers .exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcyv.exe
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] C:\TOOLSCD\Config Free\Package\NDSFiles\NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [CFSServ.exe] C:\Program Files\Toshiba\ConfigFree\CFSServ.exe -NoClient
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [pqdwvuhm] rundll32.exe "C:\Program Files\klqnwrkt\gduvqlan.dll",Init
O4 - HKLM\..\Run: [gzmbefct] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\gzmbefct.dll"
O4 - HKLM\..\Run: [pkfkziha] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pkfkziha.dll"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\TOOLSCD\Display Driver\Intel\Win2000\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\TOOLSCD\Display Driver\Intel\Win2000\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\TOOLSCD\Display Driver\Intel\Win2000\igfxpers.exe
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\Run: [zudmboto] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zudmboto.dll"
O4 - HKLM\..\Run: [103aa9ae] rundll32.exe "C:\WINDOWS\system32\iuptvhdc.dll",b
O4 - HKLM\..\Run: [etefwnil] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\etefwnil.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/229?95313124e5994561b0b22a57295b4ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/230?95313124e5994561b0b22a57295b4ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 13209 bytes


Also, I'm not sure if this is related but on start-up of my computer I receive the following error messages in the follwing order:

NDSTray.exe - Unable to Locate Component
This application failed to start becasue NDSAPI.ll was not found. Re-installing the application may fix this problem.

RegSvr32
Loadlibrary C:\Documents and Settings\All USers\Application Data\gzmbefct.dll) failed. The specified module cannot be found.

RegSvr32
Loadlibrary C:\Documents and Settings\All USers\Application Data\pfkziha.dll) failed. The specified module cannot be found.

RegSvr32
Loadlibrary C:\Documents and Settings\All USers\Application Data\zudmboto.dll) failed. The specified module cannot be found.


If anyone can help to suggest what to do now that would be amazing. I have tried all the things I can and now I have really hit a brick wall.

Thanks to anyone who replies to this.

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:49 PM

Posted 17 March 2008 - 09:36 PM

Hello Simonlebon


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 simonlebon

simonlebon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 18 March 2008 - 04:17 PM

Hi there

Thanks so much for the response, and no problem with the delay any help is wonderful!

Since my first post I have kept running all the scans recommended and that I listed above. The pop-ups have stopped but I know that the trojan is still there, especially the QHost one. Also, yesterday after doing a Spybot scan where the scan identified Virtumonde and Qhost, I selected fix problems as usual and rebooted. Since then, the internet has been going very very slowly and some web pages won't load at all. So, I did a search on this forum and did things such as reinstalling java and microsoft virtual machine. That didn't wprk, so I used ESET OnlineScan (NOD32). That seemed to do the trick and last night the internet was working fine. However, today the internet is very slow again!

Here are the logs:

Deckard's System Scanner v20071014.68
Run by Simon on 2008-03-18 11:30:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
25: 2008-03-18 11:31:04 UTC - RP335 - Deckard's System Scanner Restore Point
24: 2008-03-17 20:24:50 UTC - RP334 - Installed Java™ 6 Update 5
23: 2008-03-17 00:47:23 UTC - RP333 - System Checkpoint
22: 2008-03-15 23:46:18 UTC - RP332 - System Checkpoint
21: 2008-03-14 22:38:19 UTC - RP331 - System Checkpoint


-- First Restore Point --
1: 2008-02-18 19:21:17 UTC - RP311 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.51 GiB (less than 15%) free.


-- HijackThis (run as Simon.exe) -----------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-18 11:33:08
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton SystemWorks Premier\Norton Utilities\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Norton SystemWorks Premier\Norton Utilities\Speed Disk\NOPDB.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\X10\Common\X10nets.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\agrsmmsg.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Simon\My Documents\Download\dss.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {cc9ab6a0-f44e-5398-d984-5f329a98fc45} - {54cf89a9-23f5-489d-8935-e44f0a6ba9cc} - C:\WINDOWS\system32\vhwtkqld.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {886cfea7-47d7-4a49-b0f1-3ca42b5d17b9} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A31B947B-542C-49B8-BAD7-B5A8231EBDE5} - (no file)
O2 - BHO: (no name) - {A75B43C5-CBCC-4F91-A1EC-F4EFB6EDC425} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: (no name) - {B09D138E-A678-4BD8-8962-119038093CB7} - (no file)
O2 - BHO: (no name) - {B2B6C884-CC13-4C8E-B87F-658221A54E9D} - C:\WINDOWS\system32\ddcyv.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O2 - BHO: (no name) - {DB0B918E-A0A8-482B-8D75-A682816B0C7B} - (no file)
O2 - BHO: (no name) - {EEE2367F-5DAE-4574-8A79-0C9B1065C6E7} - (no file)
O2 - BHO: (no name) - {F9B54F34-A17B-446C-8E38-CA2366BAF0C7} - (no file)
O2 - BHO: (no name) - {FBDB4C19-8647-42B4-97D0-7DF00931FA68} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [103aa9ae] rundll32.exe "C:\WINDOWS\system32\pwtcthge.dll",b
O4 - HKLM\..\Run: [BM13099a32] Rundll32.exe "C:\WINDOWS\system32\qusqnfse.dll",s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = ?
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/229?95313124e5994561b0b22a57295b4ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/230?95313124e5994561b0b22a57295b4ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winrtq32 - C:\WINDOWS\system32\winrtq32.dll (file missing)
O20 - Winlogon Notify: yayaxvv - C:\WINDOWS\system32\yayaxvv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\CCPWDSVC.EXE
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\COMHOST.EXE
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks Premier\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks Premier\Norton Utilities\Speed Disk\NOPDB.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\Program Files\Common Files\X10\Common\X10nets.exe


--
End of file - 13159 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsubleepa Electric Industrial Co.,Ltd.; >
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.3.0>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys <Not Verified; Toshiba Corporation; Toshiba Notebook PC SMI Service>
R3 Tvs (TOSHIBA Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>

S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>
S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsubleepa Electric Industrial Co., Ltd.; >
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 Speed Disk service - c:\progra~1\norton~2\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>
R2 TAPPSRV (TOSHIBA Application Service) - "c:\program files\toshiba\toshiba applet\tappsrv.exe" <Not Verified; TOSHIBA Corp.; TOSHIBA TAPPSRV>
R2 x10nets (X10 Device Network Service) - c:\progra~1\common~1\x10\common\x10nets.exe <Not Verified; X10; x10 Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-18 11:32:26 366 --a------ C:\WINDOWS\Tasks\Check Updates for MSN Search Toolbar.job
2008-03-17 13:30:11 308 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
2008-02-22 20:54:23 548 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Simon.job


-- Files created between 2008-02-18 and 2008-03-18 -----------------------------

2008-03-18 10:02:25 336384 --a------ C:\WINDOWS\system32\ddcyv.exe
2008-03-17 21:15:05 0 d-------- C:\Program Files\EsetOnlineScanner
2008-03-17 20:47:21 87616 --a------ C:\WINDOWS\system32\pwtcthge.dll
2008-03-17 20:44:25 93760 --a------ C:\WINDOWS\system32\vhwtkqld.dll
2008-03-17 20:44:18 91200 --a------ C:\WINDOWS\system32\qusqnfse.dll
2008-03-17 20:32:03 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-17 16:11:24 0 d-------- C:\WINDOWS\pss
2008-03-15 13:04:06 94272 -----n--- C:\WINDOWS\system32\pwlocsjn.dll
2008-03-15 13:01:06 98368 --a------ C:\WINDOWS\system32\ktegfwbt.dll
2008-03-15 12:58:05 98368 --a------ C:\WINDOWS\system32\xrsjmcis.dll
2008-03-15 12:55:01 332896 -----n--- C:\WINDOWS\system32\ddcyv.dll
2008-03-01 15:49:10 0 d-------- C:\Program Files\SopCast
2008-02-29 15:00:51 0 d-------- C:\WINDOWS\network diagnostic
2008-02-29 14:32:37 122880 --a------ C:\Documents and Settings\All Users\Application Data\ynodexed.dll
2008-02-29 14:32:25 0 d-------- C:\Program Files\Mlfhxzky
2008-02-28 23:07:47 0 d-------- C:\Program Files\Lavasoft
2008-02-28 23:07:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 16:59:32 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-28 16:59:32 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-28 16:59:32 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-28 16:59:31 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-28 16:59:31 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-28 16:59:31 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-28 16:12:01 122880 --a------ C:\Documents and Settings\All Users\Application Data\zqrsxalo.dll
2008-02-28 16:11:55 0 d-------- C:\Program Files\Fabgskeb
2008-02-28 12:06:53 122880 --a------ C:\Documents and Settings\All Users\Application Data\dszeliji.dll
2008-02-28 12:06:42 0 d-------- C:\Program Files\Fgijpnzk


-- Find3M Report ---------------------------------------------------------------

2008-03-18 11:33:01 295255 --ahs---- C:\WINDOWS\system32\vycdd.ini2
2008-03-17 22:06:50 0 d-------- C:\Program Files\PowerISO
2008-03-17 21:40:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-17 20:26:38 0 d-------- C:\Program Files\Java
2008-03-17 15:25:21 0 d-------- C:\Documents and Settings\Simon\Application Data\uTorrent
2008-03-17 13:30:10 0 d-------- C:\Program Files\Norton SystemWorks Premier
2008-03-17 01:24:27 38492 --a------ C:\Documents and Settings\Simon\Application Data\wklnhst.dat
2008-03-16 23:14:20 836 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-12 22:44:10 0 d-------- C:\Program Files\klqnwrkt
2008-03-12 22:43:52 0 d-------- C:\Program Files\Omknvqcs
2008-03-05 09:34:56 0 d-------- C:\Program Files\Common Files
2008-03-04 14:49:03 0 d-------- C:\Documents and Settings\Simon\Application Data\LimeWire
2008-03-04 14:48:50 0 d-------- C:\Program Files\LimeWire
2008-02-28 23:06:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 10:06:44 0 d-------- C:\Documents and Settings\Simon\Application Data\Adobe
2008-02-11 09:39:26 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-11 09:39:18 237568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-08 13:53:46 110592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll <Not Verified; ; OnlineScanner Language Library>
2008-02-05 08:48:04 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe <Not Verified; ; OnlineScannerUninstaller>
2008-01-28 09:02:23 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-01-28 08:58:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-28 08:54:48 0 d-------- C:\Program Files\KONAMI
2008-01-22 20:24:21 0 d-------- C:\Program Files\EA GAMES
2008-01-21 18:40:12 0 d-------- C:\Program Files\Microsoft Games
2007-12-24 12:48:04 208896 --a------ C:\WINDOWS\system32\ndaTqsVqrX.dll
2007-12-21 23:08:12 163721 --a------ C:\Documents and Settings\Simon\Application Data\antivirus.exe
2007-12-21 17:04:56 0 --a------ C:\Install
2007-12-21 09:36:35 533 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54cf89a9-23f5-489d-8935-e44f0a6ba9cc}]
17/03/2008 20:44 93760 --a------ C:\WINDOWS\system32\vhwtkqld.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886cfea7-47d7-4a49-b0f1-3ca42b5d17b9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A31B947B-542C-49B8-BAD7-B5A8231EBDE5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A75B43C5-CBCC-4F91-A1EC-F4EFB6EDC425}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B09D138E-A678-4BD8-8962-119038093CB7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2B6C884-CC13-4C8E-B87F-658221A54E9D}]
15/03/2008 12:55 332896 --------- C:\WINDOWS\system32\ddcyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB0B918E-A0A8-482B-8D75-A682816B0C7B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE2367F-5DAE-4574-8A79-0C9B1065C6E7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9B54F34-A17B-446C-8E38-CA2366BAF0C7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBDB4C19-8647-42B4-97D0-7DF00931FA68}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [05/05/2006 13:59 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [04/05/2005 16:43 C:\WINDOWS\Alcmtr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [13/12/2005 14:50 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [03/08/2005 13:26 C:\WINDOWS\system32\TPSMain.exe]
"103aa9ae"="C:\WINDOWS\system32\pwtcthge.dll" [17/03/2008 20:47]
"BM13099a32"="C:\WINDOWS\system32\qusqnfse.dll" [17/03/2008 20:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 12:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [10/01/2007 23:02:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 12:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrtq32]
winrtq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaxvv]
yayaxvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcyv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, , xlibgfl254.dll, , , , , , ,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7820 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-18 11:34:31 ------------

And the next one....

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2050 @ 1.60GHz
CPU 1: Genuine Intel® CPU T2050 @ 1.60GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 1013.98 MiB / 492.52 MiB
Pagefile Memory (total/avail): 2442.07 MiB / 1961.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.32 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 2.51 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541080G9SA00 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
FW: Norton Internet Security 2006 v2006 (Symantec Corporation)
AV: Norton Internet Security 2006 v2006 (Symantec Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Simon\\Application Data\\trant.exe"="C:\\Documents and Settings\\Simon\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Simon\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Simon\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\DOCUME~1\\Simon\\LOCALS~1\\Temp\\win969.exe"="C:\\DOCUME~1\\Simon\\LOCALS~1\\Temp\\win969.exe:*:Enabled:win969"
"C:\\Documents and Settings\\Simon\\Application Data\\trant.exe"="C:\\Documents and Settings\\Simon\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Simon\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Simon\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Simon\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SIMONCURLY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Simon
LOGONSERVER=\\SIMONCURLY
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Simon\LOCALS~1\Temp
TMP=C:\DOCUME~1\Simon\LOCALS~1\Temp
USERDOMAIN=SIMONCURLY
USERNAME=Simon
USERPROFILE=C:\Documents and Settings\Simon
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Simon (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Broadband Help --> MsiExec.exe /I{01B6480D-3937-4E82-AB2C-8E4C591BEFE5}
CC_ccProxyExt --> MsiExec.exe /I{2EBF25F1-F8A2-40EA-92BE-931C142A44E2}
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
ccPxyCore --> MsiExec.exe /I{30738666-9805-4926-A78F-91DA33B6C437}
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
CodeStuff Starter --> "C:\Program Files\CodeStuff\Starter\unStarter.exe"
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe" -l0x9 DVD-RAM Driver
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
Medal of Honor Allied Assault --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Halo --> "C:\Program Files\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN Search Toolbar --> MsiExec.exe /X{9F1868CA-BF34-45A7-A2C6-AF9EB7A8007E}
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4E9E-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton AntiVirus 2006 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FFB4DD53-28B7-4981-BFF0-9BD801F61095}
Norton Internet Security 2006 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe" /X
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}\{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}.exe" /X
Norton SystemWorks Premier --> MsiExec.exe /I{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
OpenMG Limited Patch 4.1-05-14-24-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-14-24-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PPLive 1.9 --> C:\Program Files\PPLive\uninst.exe
Pro Evolution Soccer 5 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{85C3FA3C-4832-4204-B21E-168E4920936A} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
SD Secure Module --> MsiExec.exe /X{C45F4811-31D5-4786-801D-F79CD06EDD85}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SonicStage 3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
SopCast 2.0.4 --> C:\Program Files\SopCast\uninst.exe
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4497AFF6-98C4-4F49-B073-F48F42BCBF9E} /l1033
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Hotkey Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64DD71BC-3109-4C88-9AD3-D5422644B722}\setup.exe" -l0x9
TOSHIBA Manuals --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EB6332B-AF02-457C-A31C-835458C5B48B}\setup.exe" -l0x9 -removeonly
TOSHIBA PC Diagnostic Tool --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{2C38F661-26B7-445D-B87D-B53FE2D3BD42}
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
TOSHIBA SD Memory Card Format --> MsiExec.exe /X{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA TouchPad ON/Off Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{69BE47C2-36FE-4397-8199-85D8EAE69982}\setup.exe" -l0x9
TOSHIBA Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}\setup.exe" -l0x9
TOSHIBA Virtual Sound --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\setup.exe" /uninstall
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\setup.exe"
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Virgin Broadband advisor 1.5.14 --> "C:\Program Files\Virgin Broadband\advisor\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Desktop Search --> "C:\WINDOWS\$NtUninstallKB911993-V2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB888316 --> C:\WINDOWS\$NtUninstallKB888316$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB894553 --> C:\WINDOWS\$NtUninstallKB894553$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB895678 --> C:\WINDOWS\$NtUninstallKB895678$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
X10 Hardware™ --> C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\X10HAR~1\Install.log


-- Application Event Log -------------------------------------------------------

Event Record #/Type17434 / Warning
Event Submitted/Written: 03/17/2008 04:16:06 PM
Event ID/Source: 1017 / Speed Disk service
Event Description:
C:

Event Record #/Type17410 / Error
Event Submitted/Written: 03/17/2008 01:50:50 AM
Event ID/Source: 1000 / Norton Disk Doctor
Event Description:
Norton Disk Doctor - Testing Drive C:
Recovering orphaned file 00639089.MOZ (37776) into directory file 36440.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Norton Disk Doctor found problems with the file system.
Run Norton Disk Doctor and check the Fix Errors option.

Event Record #/Type17409 / Error
Event Submitted/Written: 03/17/2008 00:14:37 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Event Record #/Type17408 / Error
Event Submitted/Written: 03/17/2008 00:13:18 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Event Record #/Type17407 / Error
Event Submitted/Written: 03/17/2008 00:06:21 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.3268, fault address 0x0023c07e.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type38540 / Warning
Event Submitted/Written: 03/18/2008 11:33:28 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type38515 / Error
Event Submitted/Written: 03/18/2008 00:44:41 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service NSCService with arguments ""
in order to run the server:
{09B7ADDC-8BF0-409B-8571-43E8EA2AAFA3}

Event Record #/Type38514 / Error
Event Submitted/Written: 03/18/2008 00:44:09 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service NSCService with arguments ""
in order to run the server:
{09B7ADDC-8BF0-409B-8571-43E8EA2AAFA3}

Event Record #/Type38510 / Error
Event Submitted/Written: 03/17/2008 11:44:41 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service NSCService with arguments ""
in order to run the server:
{09B7ADDC-8BF0-409B-8571-43E8EA2AAFA3}

Event Record #/Type38509 / Error
Event Submitted/Written: 03/17/2008 11:44:09 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service NSCService with arguments ""
in order to run the server:
{09B7ADDC-8BF0-409B-8571-43E8EA2AAFA3}



-- End of Deckard's System Scanner: finished at 2008-03-18 11:34:31 ------------

And finally the Kasperspy one:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 9:05:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 636984
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 93079
Number of viruses found: 12
Number of infected objects: 68
Number of suspicious objects: 2
Duration of the scan process: 02:42:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\dszeliji.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip/lsass.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip/Helper8.dll Infected: Trojan-Downloader.Win32.Alphabet.ap skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh12.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh15.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh15.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh18.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh3.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh6.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh9.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc.zip/etefwnil.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc1.zip/wlensfsx.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc2.zip/etefwnil.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc3.zip/etefwnil.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc4.zip/etefwnil.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-18_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ynodexed.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\zqrsxalo.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Simon\Application Data\antivirus.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\cert8.db Object is locked skipped
C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\history.dat Object is locked skipped
C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\key3.db Object is locked skipped
C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Simon\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Mozilla\Firefox\Profiles\puaiykv0.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Simon\My Documents\Download\06 Track 6.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Simon\My Documents\Download\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Simon\My Documents\Download\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Simon\My Documents\Download\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Simon\My Documents\Download\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Simon\My Documents\Download\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Simon\My Documents\Download\TOTALLY HIP TRACK.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Simon\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Simon\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\ccApp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Fabgskeb\vcevewto.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Program Files\Fgijpnzk\dvwaxfdn.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Program Files\Ixqjogsc\dulrqqjv.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0218NAV~.TMP Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0705NAV~.TMP Object is locked skipped
C:\RECYCLER\NPROTECT\00654780.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654781.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654782.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\NPROTECT\00654783.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654784.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654785.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654786.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654787.BAD Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654872.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00654904.EXE Infected: not-a-virus:FraudTool.Win32.UltimateDefender.ab skipped
C:\RECYCLER\NPROTECT\00654905.EXE Infected: not-a-virus:FraudTool.Win32.UltimateDefender.ac skipped
C:\RECYCLER\NPROTECT\00654914.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00658403.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\00659383.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP320\A0194070.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP331\A0213144.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP331\A0213155.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP331\A0213157.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP331\A0213163.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP335\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ABDA958C-0203-45DF-953C-CCFDAED1C536}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcyv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ddcyv.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ktegfwbt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe/webcontrol/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.g skipped
C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe CAB: infected - 1 skipped
C:\WINDOWS\system32\pwlocsjn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xrsjmcis.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Thanks so much for your help for this, especially as you are so busy. Suffice to say this is drivig me mental so let's hope we can fix it.

Simonlebon

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:49 PM

Posted 18 March 2008 - 09:53 PM

serious vundo infection and some other garbage

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


#5 simonlebon

simonlebon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 22 March 2008 - 04:32 AM

Hi Don77

Here are the logs as requested:

Combofix -

ComboFix 08-03-21.1 - Simon 2008-03-22 8:58:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT 0:00]
Running from: C:\Documents and Settings\Simon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\dszeliji.dll
C:\Documents and Settings\All Users\Application Data.\ynodexed.dll
C:\Documents and Settings\All Users\Application Data.\zqrsxalo.dll
C:\Program Files\Fabgskeb
C:\Program Files\Fabgskeb\vcevewto.dll
C:\Program Files\Fgijpnzk
C:\Program Files\Fgijpnzk\dvwaxfdn.dll
C:\WINDOWS\BM13099a32.xml
C:\WINDOWS\PerfInfo
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\ppqvmpqr\1.png
C:\WINDOWS\ppqvmpqr\2.png
C:\WINDOWS\ppqvmpqr\3.png
C:\WINDOWS\ppqvmpqr\4.png
C:\WINDOWS\ppqvmpqr\5.png
C:\WINDOWS\ppqvmpqr\6.png
C:\WINDOWS\ppqvmpqr\bottom-rc.gif
C:\WINDOWS\ppqvmpqr\content.png
C:\WINDOWS\ppqvmpqr\download.gif
C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
C:\WINDOWS\ppqvmpqr\head.png
C:\WINDOWS\ppqvmpqr\indexuc.html
C:\WINDOWS\ppqvmpqr\indexud.html
C:\WINDOWS\ppqvmpqr\main.css
C:\WINDOWS\ppqvmpqr\net.png
C:\WINDOWS\ppqvmpqr\pc-mag.gif
C:\WINDOWS\ppqvmpqr\pc.gif
C:\WINDOWS\ppqvmpqr\poloska1.png
C:\WINDOWS\ppqvmpqr\poloska2.png
C:\WINDOWS\ppqvmpqr\poloska3.png
C:\WINDOWS\ppqvmpqr\promouc1.html
C:\WINDOWS\ppqvmpqr\promouc2.html
C:\WINDOWS\ppqvmpqr\promouc3.html
C:\WINDOWS\ppqvmpqr\promouc4.html
C:\WINDOWS\ppqvmpqr\promouc5.html
C:\WINDOWS\ppqvmpqr\promoud1.html
C:\WINDOWS\ppqvmpqr\promoud2.html
C:\WINDOWS\ppqvmpqr\promoud3.html
C:\WINDOWS\ppqvmpqr\promoud4.html
C:\WINDOWS\ppqvmpqr\promoud5.html
C:\WINDOWS\ppqvmpqr\reg.png
C:\WINDOWS\ppqvmpqr\repair.png
C:\WINDOWS\ppqvmpqr\scr-1.png
C:\WINDOWS\ppqvmpqr\scr-2.png
C:\WINDOWS\ppqvmpqr\styles.css
C:\WINDOWS\ppqvmpqr\top-rc.gif
C:\WINDOWS\ppqvmpqr\vline.gif
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bjateoki.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\dnfcvygd.dll
C:\WINDOWS\system32\hssyxhit.dll
C:\WINDOWS\system32\ikoetajb.dll
C:\WINDOWS\system32\ktegfwbt.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ndaTqsVqrX.dll
C:\WINDOWS\system32\njscolwp.ini
C:\WINDOWS\system32\oqijaytb.dll
C:\WINDOWS\system32\powsfxif.dll
C:\WINDOWS\system32\pwlocsjn.dll
C:\WINDOWS\system32\qusqnfse.dll
C:\WINDOWS\system32\vhwtkqld.dll
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\xrsjmcis.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-22 08:57 . 2008-03-22 08:57 3,631 --a------ C:\6.tmp
2008-03-21 23:51 . 2008-03-21 23:51 3,631 --a------ C:\21.tmp
2008-03-21 23:49 . 2008-03-21 23:49 3,631 --a------ C:\20.tmp
2008-03-21 23:47 . 2008-03-21 23:47 3,631 --a------ C:\1F.tmp
2008-03-21 23:43 . 2008-03-21 23:43 3,631 --a------ C:\1D.tmp
2008-03-21 23:41 . 2008-03-21 23:41 3,631 --a------ C:\1C.tmp
2008-03-21 23:35 . 2008-03-21 23:35 3,631 --a------ C:\A.tmp
2008-03-21 23:30 . 2008-03-21 23:30 <DIR> d-------- C:\ComboFix(3)
2008-03-21 23:30 . 2008-03-21 23:30 3,631 --a------ C:\5.tmp
2008-03-21 23:22 . 2008-03-21 23:22 3,631 --a------ C:\16.tmp
2008-03-21 23:17 . 2008-03-21 23:17 3,631 --a------ C:\9.tmp
2008-03-21 23:17 . 2008-03-21 23:17 3,631 --a------ C:\8.tmp
2008-03-21 23:02 . 2008-03-21 23:02 3,631 --a------ C:\E.tmp
2008-03-21 23:00 . 2008-03-21 23:00 3,631 --a------ C:\D.tmp
2008-03-21 22:57 . 2008-03-21 22:57 3,631 --a------ C:\7.tmp
2008-03-21 22:46 . 2008-03-21 22:46 3,631 --a------ C:\A4.tmp
2008-03-21 22:45 . 2008-03-21 22:45 3,631 --a------ C:\A3.tmp
2008-03-21 22:44 . 2008-03-21 22:44 3,631 --a------ C:\A2.tmp
2008-03-21 22:43 . 2008-03-21 22:43 3,631 --a------ C:\A1.tmp
2008-03-21 22:40 . 2008-03-21 22:40 3,631 --a------ C:\90.tmp
2008-03-21 22:38 . 2008-03-21 22:38 3,631 --a------ C:\8F.tmp
2008-03-21 22:36 . 2008-03-21 22:36 3,631 --a------ C:\8E.tmp
2008-03-21 21:37 . 2008-03-21 21:37 3,631 --a------ C:\5A.tmp
2008-03-21 21:35 . 2008-03-21 21:35 3,631 --a------ C:\53.tmp
2008-03-19 08:15 . 2008-03-21 20:43 1,494 ---hs---- C:\WINDOWS\system32\aknbvqab.ini
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-18 11:30 . 2008-03-18 11:30 <DIR> d-------- C:\Deckard
2008-03-17 21:15 . 2008-03-17 22:50 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-17 20:47 . 2008-03-19 08:14 1,374 ---hs---- C:\WINDOWS\system32\eghtctwp.ini
2008-03-17 20:32 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-03-12 22:44 . 2008-03-12 22:44 366 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-01 15:49 . 2008-03-01 15:51 <DIR> d-------- C:\Program Files\SopCast
2008-02-29 14:58 . 2006-06-03 11:40 33,792 -----c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-29 14:32 . 2008-03-12 22:43 <DIR> d-------- C:\Program Files\Mlfhxzky
2008-02-28 23:07 . 2008-02-28 23:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 23:07 . 2008-02-28 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 16:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-28 16:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-28 16:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-28 16:59 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-28 16:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-28 16:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 22:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 22:25 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-03-17 22:06 --------- d-----w C:\Program Files\PowerISO
2008-03-17 20:26 --------- d-----w C:\Program Files\Java
2008-03-17 15:25 --------- d-----w C:\Documents and Settings\Simon\Application Data\uTorrent
2008-03-17 13:30 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-03-17 01:24 38,492 ----a-w C:\Documents and Settings\Simon\Application Data\wklnhst.dat
2008-03-12 22:44 --------- d-----w C:\Program Files\klqnwrkt
2008-03-12 22:43 --------- d-----w C:\Program Files\Omknvqcs
2008-03-11 08:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 09:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-04 14:49 --------- d-----w C:\Documents and Settings\Simon\Application Data\LimeWire
2008-03-04 14:48 --------- d-----w C:\Program Files\LimeWire
2008-02-28 23:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 09:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 13:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 08:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-28 09:02 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-28 08:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 08:54 --------- d-----w C:\Program Files\KONAMI
2008-01-22 20:24 --------- d-----w C:\Program Files\EA GAMES
2008-01-03 09:03 159,744 ----a-w C:\WINDOWS\system32\hkcmd .exe
2008-01-03 09:03 135,168 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-01-03 09:03 131,072 ----a-w C:\WINDOWS\system32\igfxpers .exe
2007-12-21 23:08 163,721 ----a-w C:\Documents and Settings\Simon\Application Data\antivirus.exe
.
<pre>
----a-w		   376,912 2008-03-11 08:05:15  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w		   107,112 2008-03-21 23:07:18  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   517,768 2008-03-10 18:47:45  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w		 6,731,312 2008-01-02 08:16:36  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas		.exe
----a-w		   802,816 2008-03-11 08:05:07  C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w		   144,784 2008-03-17 20:43:33  C:\Program Files\Java\jre1.6.0_05\bin\jusched .exe
----a-w		 1,694,208 2007-12-24 14:48:05  C:\Program Files\Messenger\msmsgs .exe
----a-w			31,016 2008-03-11 08:06:03  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w			25,472 2008-03-11 08:05:47  C:\Program Files\Norton SystemWorks Premier\osCheck .exe
----a-w		   200,704 2007-12-24 12:47:30  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w			81,920 2008-03-11 08:05:22  C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w		 1,460,560 2008-03-11 08:06:15  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   761,948 2008-03-11 08:04:56  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   798,720 2008-03-11 08:05:12  C:\Program Files\Toshiba\ConfigFree\CFSServ .exe
----a-w		   974,848 2008-01-03 15:13:08  C:\Program Files\Toshiba\ConfigFree\NDSTray .exe
----a-w			65,536 2008-01-03 15:13:50  C:\Program Files\Toshiba\TOSCDSPD\toscdspd .exe
----a-w		   356,352 2008-01-02 08:15:37  C:\Program Files\Toshiba\TOSHIBA Applet\thotkey .exe
----a-w		   184,320 2008-03-05 08:16:13  C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy .exe
----a-w		   118,784 2007-12-24 15:31:14  C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView .exe
----a-w			73,728 2008-03-11 08:05:02  C:\Program Files\Toshiba\Tvs\TvsTray .exe
----a-w		   974,848 2008-03-11 08:05:04  C:\TOOLSCD\Config Free\Package\NDSFiles\NDSTray .exe
----a-w			77,824 2008-03-11 08:05:41  C:\TOOLSCD\Display Driver\Intel\Win2000\hkcmd .exe
----a-w		   118,784 2008-03-11 08:05:46  C:\TOOLSCD\Display Driver\Intel\Win2000\igfxpers .exe
----a-w			94,208 2008-03-11 08:05:38  C:\TOOLSCD\Display Driver\Intel\Win2000\igfxtray .exe
----a-w			15,360 2008-03-21 22:25:52  C:\WINDOWS\system32\ctfmon .exe
----a-w		   159,744 2008-01-03 09:03:21  C:\WINDOWS\system32\hkcmd .exe
----a-w		   131,072 2008-01-03 09:03:29  C:\WINDOWS\system32\igfxpers .exe
----a-w		   135,168 2008-01-03 09:03:18  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 13:59 16206848 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 14:50 88204 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 13:26 266240 C:\WINDOWS\system32\TPSMain.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-10 23:02:45 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrtq32]
winrtq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaxvv]
yayaxvv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 09:45]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 13:47]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 08:32:01 C:\WINDOWS\Tasks\Check Updates for MSN Search Toolbar.job"
- C:\Program Files\MSN Toolbar Suite\MSNTBUP.EXE
"2008-02-22 20:54:23 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Simon.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-17 13:30:11 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 09:05:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-22 9:09:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-22 09:09:09
.
2008-03-12 22:44:38 --- E O F ---


And the new Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:35, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/229?95313124e5994561b0b22a57295b4ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/230?95313124e5994561b0b22a57295b4ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winrtq32 - winrtq32.dll (file missing)
O20 - Winlogon Notify: yayaxvv - yayaxvv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11196 bytes

Thanks for the help!

Simonlebon

#6 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:49 PM

Posted 22 March 2008 - 10:40 AM

Have some real garbage on here


First
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
----a-w 376,912 2008-03-11 08:05:15 C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w 107,112 2008-03-21 23:07:18 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 517,768 2008-03-10 18:47:45 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w 6,731,312 2008-01-02 08:16:36 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 802,816 2008-03-11 08:05:07 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w 144,784 2008-03-17 20:43:33 C:\Program Files\Java\jre1.6.0_05\bin\jusched .exe
----a-w 1,694,208 2007-12-24 14:48:05 C:\Program Files\Messenger\msmsgs .exe
----a-w 31,016 2008-03-11 08:06:03 C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w 25,472 2008-03-11 08:05:47 C:\Program Files\Norton SystemWorks Premier\osCheck .exe
----a-w 200,704 2007-12-24 12:47:30 C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w 81,920 2008-03-11 08:05:22 C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w 1,460,560 2008-03-11 08:06:15 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 761,948 2008-03-11 08:04:56 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 798,720 2008-03-11 08:05:12 C:\Program Files\Toshiba\ConfigFree\CFSServ .exe
----a-w 974,848 2008-01-03 15:13:08 C:\Program Files\Toshiba\ConfigFree\NDSTray .exe
----a-w 65,536 2008-01-03 15:13:50 C:\Program Files\Toshiba\TOSCDSPD\toscdspd .exe
----a-w 356,352 2008-01-02 08:15:37 C:\Program Files\Toshiba\TOSHIBA Applet\thotkey .exe
----a-w 184,320 2008-03-05 08:16:13 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy .exe
----a-w 118,784 2007-12-24 15:31:14 C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView .exe
----a-w 73,728 2008-03-11 08:05:02 C:\Program Files\Toshiba\Tvs\TvsTray .exe
----a-w 974,848 2008-03-11 08:05:04 C:\TOOLSCD\Config Free\Package\NDSFiles\NDSTray .exe
----a-w 77,824 2008-03-11 08:05:41 C:\TOOLSCD\Display Driver\Intel\Win2000\hkcmd .exe
----a-w 118,784 2008-03-11 08:05:46 C:\TOOLSCD\Display Driver\Intel\Win2000\igfxpers .exe
----a-w 94,208 2008-03-11 08:05:38 C:\TOOLSCD\Display Driver\Intel\Win2000\igfxtray .exe
----a-w 15,360 2008-03-21 22:25:52 C:\WINDOWS\system32\ctfmon .exe
----a-w 159,744 2008-01-03 09:03:21 C:\WINDOWS\system32\hkcmd .exe
----a-w 131,072 2008-01-03 09:03:29 C:\WINDOWS\system32\igfxpers .exe
----a-w 135,168 2008-01-03 09:03:18 C:\WINDOWS\system32\igfxtray .exe

Folder::
C:\Program Files\klqnwrkt
C:\Program Files\Omknvqcs
C:\Program Files\Mlfhxzky

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrtq32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaxvv]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Next
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


In your next reply I need to see the new Combofix txt and the Report txt from SDfix please

#7 simonlebon

simonlebon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 25 March 2008 - 05:15 AM

Hey Don77

Here are the logs you asked for:

Combofix:

ComboFix 08-03-21.1 - Simon 2008-03-25 9:31:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT 0:00]
Running from: C:\Documents and Settings\Simon\My Documents\Download\ComboFix.exe
Command switches used :: C:\Documents and Settings\Simon\My Documents\Download\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\klqnwrkt
C:\Program Files\Mlfhxzky
C:\Program Files\Omknvqcs
C:\WINDOWS\BM13099a32.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\gpaaykjt.dll
C:\WINDOWS\system32\mgvsmgvr.dll
C:\WINDOWS\system32\oaheowen.dll
C:\WINDOWS\system32\tjkyaapg.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 09:30 . 2008-03-25 09:30 3,631 --a------ C:\A4.tmp
2008-03-25 09:29 . 2008-03-25 09:29 <DIR> d-------- C:\ComboFix(2)
2008-03-25 09:29 . 2008-03-25 09:29 3,631 --a------ C:\9F.tmp
2008-03-25 09:29 . 2008-03-25 09:29 3,631 --a------ C:\9A.tmp
2008-03-25 09:28 . 2008-03-25 09:28 3,631 --a------ C:\99.tmp
2008-03-25 09:26 . 2008-03-25 09:26 3,631 --a------ C:\94.tmp
2008-03-25 09:25 . 2008-03-25 09:25 3,631 --a------ C:\93.tmp
2008-03-25 09:24 . 2008-03-25 09:24 3,631 --a------ C:\92.tmp
2008-03-25 09:16 . 2008-03-25 09:16 3,631 --a------ C:\8E.tmp
2008-03-25 09:15 . 2008-03-25 09:15 3,631 --a------ C:\8D.tmp
2008-03-25 09:14 . 2008-03-25 09:14 <DIR> d-------- C:\ComboFix(3)
2008-03-25 09:14 . 2008-03-25 09:14 3,631 --a------ C:\89.tmp
2008-03-25 09:12 . 2008-03-25 09:12 3,631 --a------ C:\88.tmp
2008-03-25 09:11 . 2008-03-25 09:11 3,631 --a------ C:\84.tmp
2008-03-25 09:09 . 2008-03-25 09:09 3,631 --a------ C:\83.tmp
2008-03-22 09:46 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-03-19 08:15 . 2008-03-21 20:43 1,494 ---hs---- C:\WINDOWS\system32\aknbvqab.ini
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-18 11:30 . 2008-03-18 11:30 <DIR> d-------- C:\Deckard
2008-03-17 21:15 . 2008-03-22 12:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-17 20:47 . 2008-03-19 08:14 1,374 ---hs---- C:\WINDOWS\system32\eghtctwp.ini
2008-03-12 22:44 . 2008-03-12 22:44 366 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-01 15:49 . 2008-03-01 15:51 <DIR> d-------- C:\Program Files\SopCast
2008-02-29 14:58 . 2006-06-03 11:40 33,792 -----c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-28 23:07 . 2008-02-28 23:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 23:07 . 2008-02-28 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 16:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-28 16:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-28 16:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-28 16:59 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-28 16:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-28 16:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 09:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 09:31 --------- d-----w C:\Program Files\PowerISO
2008-03-25 09:31 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-03-22 12:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 22:25 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-03-17 20:26 --------- d-----w C:\Program Files\Java
2008-03-17 15:25 --------- d-----w C:\Documents and Settings\Simon\Application Data\uTorrent
2008-03-17 01:24 38,492 ----a-w C:\Documents and Settings\Simon\Application Data\wklnhst.dat
2008-03-05 09:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-04 14:49 --------- d-----w C:\Documents and Settings\Simon\Application Data\LimeWire
2008-03-04 14:48 --------- d-----w C:\Program Files\LimeWire
2008-02-28 23:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 09:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 13:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 08:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-28 09:02 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-28 08:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 08:54 --------- d-----w C:\Program Files\KONAMI
2008-01-03 09:03 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-03 09:03 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-03 09:03 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-21 23:08 163,721 ----a-w C:\Documents and Settings\Simon\Application Data\antivirus.exe
.
<pre>
----a-w		   107,112 2008-03-25 09:17:44  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   517,768 2008-03-10 18:47:45  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w		 6,731,312 2008-01-02 08:16:36  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas		.exe
----a-w			15,360 2008-03-21 22:25:52  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 13:59 16206848 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 14:50 88204 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 13:26 266240 C:\WINDOWS\system32\TPSMain.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-10 23:02:45 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 09:45]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 13:47]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 09:32:00 C:\WINDOWS\Tasks\Check Updates for MSN Search Toolbar.job"
- C:\Program Files\MSN Toolbar Suite\MSNTBUP.EXE
"2008-02-22 20:54:23 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Simon.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-24 12:03:12 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 09:38:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-25 9:41:11 - machine was rebooted [Simon]
ComboFix-quarantined-files.txt 2008-03-25 09:41:06
ComboFix2.txt 2008-03-22 09:09:15
.
2008-03-12 22:44:38 --- E O F ---


And the SDFix log:


SDFix: Version 1.161

Run by Simon on 25/03/2008 at 09:55

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Simon\Application Data\antivirus.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 10:00:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:d1,62,33,03,2b,67,3a,7b,7e,d0,4b,c3,24,14,91,93,25,d8,34,c1,56,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:30,77,81,2d,0d,ad,b9,e9,03,37,07,84,2e,46,a9,d9,a6,fc,62,ae,2a,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,63,f0,d5,d2,a8,4a,6b,8e,9f,09,ef,0a,95,a5,a2,dd,c5,..
"khjeh"=hex:5f,08,8e,2f,25,f5,28,9d,0e,ab,cc,b3,14,36,30,d5,b3,04,31,f9,69,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:30,74,6b,80,be,00,b3,5d,82,5f,a2,5f,4b,8b,87,b9,41,fc,66,98,a4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8e,cd,f5,46,0b,06,2f,e1,1e,7a,fe,f3,f6,13,c4,74,23,ee,93,2e,8b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:9c,ec,bb,69,5b,d5,04,0f,ca,4e,6c,e9,bf,58,02,4a,13,a0,8e,53,22,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager\Memory Management\PrefetchParameters]
"VideoInitTime"=dword:0000081e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Watchdog\Display]
"ShutdownCount"=dword:00000222
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\ACPI\PNPA000\4&5d18f2df&0]
"Service"="avw2729g"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SPBBCDrv\Parameters]
"Configuration"="C:\Program Files\Common Files\Symantec Shared\SPBBC\2008-03-25-0bee.kc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:d1,62,33,03,2b,67,3a,7b,7e,d0,4b,c3,24,14,91,93,25,d8,34,c1,56,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:30,77,81,2d,0d,ad,b9,e9,03,37,07,84,2e,46,a9,d9,a6,fc,62,ae,2a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,63,f0,d5,d2,a8,4a,6b,8e,9f,09,ef,0a,95,a5,a2,dd,c5,..
"khjeh"=hex:5f,08,8e,2f,25,f5,28,9d,0e,ab,cc,b3,14,36,30,d5,b3,04,31,f9,69,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:30,74,6b,80,be,00,b3,5d,82,5f,a2,5f,4b,8b,87,b9,41,fc,66,98,a4,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:8e,cd,f5,46,0b,06,2f,e1,1e,7a,fe,f3,f6,13,c4,74,23,ee,93,2e,8b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:9c,ec,bb,69,5b,d5,04,0f,ca,4e,6c,e9,bf,58,02,4a,13,a0,8e,53,22,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SynTP\Parameters]
"DetectTimeMS"=dword:0000028c

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000003

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Simon\\Application Data\\trant.exe"="C:\\Documents and Settings\\Simon\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Simon\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Simon\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 10 Aug 2007 5,388,088 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 10 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP327\A0211798.sys"
Mon 10 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP328\A0212090.sys"
Tue 11 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP330\A0212858.sys"
Thu 13 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP330\A0213133.sys"
Fri 14 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP331\A0213186.sys"
Sat 15 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP332\A0213279.sys"
Sun 16 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP332\A0213299.sys"
Sun 16 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP332\A0213328.sys"
Sun 16 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP332\A0213349.sys"
Mon 17 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP334\A0213411.sys"
Mon 17 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP334\A0213521.sys"
Tue 18 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP335\A0213637.sys"
Wed 19 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP335\A0213666.sys"
Fri 21 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP336\A0213827.sys"
Fri 21 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP336\A0213846.sys"
Fri 21 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP336\A0213870.sys"
Fri 21 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP337\A0214151.sys"
Sat 22 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP337\A0214326.sys"
Sat 22 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP338\A0214517.sys"
Sat 22 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP338\A0214784.sys"
Sun 23 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP338\A0214872.sys"
Tue 25 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP339\A0215171.sys"
Tue 25 Mar 2008 84 A..H. --- "C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP339\A0215225.sys"
Wed 10 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 25 Mar 2008 84 A..H. --- "C:\Program Files\Common Files\X10\Common\x10prod.sys"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT33.tmp"
Wed 31 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BITA.tmp"
Thu 21 Dec 2006 26,624 A..H. --- "C:\Documents and Settings\Simon\My Documents\Law\GDL\Crime\~WRL2612.tmp"
Fri 10 Nov 2006 57,856 A..H. --- "C:\Documents and Settings\Simon\My Documents\Law\GDL\EU\~WRL0412.tmp"
Fri 10 Nov 2006 64,000 A..H. --- "C:\Documents and Settings\Simon\My Documents\Law\GDL\EU\~WRL2141.tmp"
Sun 10 Feb 2008 18,324 ...H. --- "C:\Documents and Settings\Simon\My Documents\Law\LPC\BLP\~WRL3978.tmp"

Finished!

And a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:22, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/229?95313124e5994561b0b22a57295b4ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/230?95313124e5994561b0b22a57295b4ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11253 bytes


Thanks loads for your help Don77

Simonlebon

#8 simonlebon

simonlebon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 25 March 2008 - 05:56 AM

Hello again

Just thought I'd say that I have been using the laptop for the last hour and although the interent was functioning properly when I first started using it, it has now gone down to a crawl again and some pages won't load at all, just like before. It seems that after running the anti-malware programmes everything if fine for about 1/2 hour and then the problem reappears.

I also just received an alert from Nortn Anti-Virus (after completing the instructions above) that said:

Intrusion: HTTP Trojan Vundo Activity
Intruder: localhost(2914)
Risk level: High
Attacked IP: tamotua.com (82.98.235.71)
Attacked port: http (80)

I suspect this is bad news...?!

Simonlebon

#9 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:49 PM

Posted 25 March 2008 - 06:33 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
----a-w 107,112 2008-03-25 09:17:44 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 517,768 2008-03-10 18:47:45 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w 6,731,312 2008-01-02 08:16:36 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 15,360 2008-03-21 22:25:52 C:\WINDOWS\system32\ctfmon .exe
File::
C:\A4.tmp
C:\9F.tmp
C:\9A.tmp
C:\99.tmp
C:\94.tmp
C:\93.tmp
C:\92.tmp
C:\8E.tmp
C:\8D.tmp
C:\89.tmp
C:\88.tmp
C:\84.tmp
C:\83.tmp
C:\WINDOWS\system32\aknbvqab.ini
C:\WINDOWS\system32\eghtctwp.ini


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Do you have your Nortons CD handy ? we may have to go for a removal and reinstall

#10 simonlebon

simonlebon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 26 March 2008 - 05:16 AM

Hey Don77

Here is the latest COmbofix log:

ComboFix 08-03-21.1 - Simon 2008-03-26 9:57:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.614 [GMT 0:00]
Running from: C:\Documents and Settings\Simon\My Documents\Download\ComboFix.exe
Command switches used :: C:\Documents and Settings\Simon\My Documents\Download\CFScript.txt
* Created a new restore point

FILE ::
C:\83.tmp
C:\84.tmp
C:\88.tmp
C:\89.tmp
C:\8D.tmp
C:\8E.tmp
C:\92.tmp
C:\93.tmp
C:\94.tmp
C:\99.tmp
C:\9A.tmp
C:\9F.tmp
C:\A4.tmp
C:\WINDOWS\system32\aknbvqab.ini
C:\WINDOWS\system32\eghtctwp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\83.tmp
C:\84.tmp
C:\88.tmp
C:\89.tmp
C:\8D.tmp
C:\8E.tmp
C:\92.tmp
C:\93.tmp
C:\94.tmp
C:\99.tmp
C:\9A.tmp
C:\9F.tmp
C:\A4.tmp
C:\WINDOWS\BM13099a32.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aknbvqab.ini
C:\WINDOWS\system32\cetoqwlx.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\eghtctwp.ini
C:\WINDOWS\system32\euxavvai.dll
C:\WINDOWS\system32\lnvuplps.dll
C:\WINDOWS\system32\splpuvnl.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 09:56 . 2008-03-26 09:56 3,631 --a------ C:\A.tmp
2008-03-26 09:55 . 2008-03-26 09:55 <DIR> d-------- C:\ComboFix(2)
2008-03-26 09:55 . 2008-03-26 09:55 3,631 --a------ C:\5.tmp
2008-03-25 10:50 . 2008-03-25 10:50 53,312 --a------ C:\WINDOWS\system32\gtnwsyiy.dll
2008-03-25 09:51 . 2008-03-25 09:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-25 09:43 . 2008-03-25 10:04 <DIR> d-------- C:\SDFix
2008-03-25 09:14 . 2008-03-25 09:14 <DIR> d-------- C:\ComboFix(3)
2008-03-22 09:46 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-18 11:30 . 2008-03-18 11:30 <DIR> d-------- C:\Deckard
2008-03-17 21:15 . 2008-03-22 12:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-12 22:44 . 2008-03-12 22:44 366 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-01 15:49 . 2008-03-01 15:51 <DIR> d-------- C:\Program Files\SopCast
2008-02-29 14:58 . 2006-06-03 11:40 33,792 -----c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-28 23:07 . 2008-02-28 23:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 23:07 . 2008-02-28 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 16:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-28 16:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-28 16:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-28 16:59 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-28 16:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-28 16:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-25 13:33 --------- d-----w C:\Documents and Settings\Simon\Application Data\uTorrent
2008-03-25 09:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 09:31 --------- d-----w C:\Program Files\PowerISO
2008-03-25 09:31 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-03-22 12:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 22:25 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-03-17 20:26 --------- d-----w C:\Program Files\Java
2008-03-17 01:24 38,492 ----a-w C:\Documents and Settings\Simon\Application Data\wklnhst.dat
2008-03-05 09:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-04 14:49 --------- d-----w C:\Documents and Settings\Simon\Application Data\LimeWire
2008-03-04 14:48 --------- d-----w C:\Program Files\LimeWire
2008-02-28 23:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 09:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 13:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 08:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-28 09:02 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-28 08:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 08:54 --------- d-----w C:\Program Files\KONAMI
2008-01-03 09:03 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-03 09:03 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-03 09:03 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
.
<pre>
----a-w		   107,112 2008-03-26 09:28:46  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   517,768 2008-03-10 18:47:45  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w		 6,731,312 2008-01-02 08:16:36  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas		.exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-03-22_ 9.08.52.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 06:28:52 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-25 09:52:43 6,959,104 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-25 09:52:43 208,896 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-25 06:28:52 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-25 09:52:16 6,959,104 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-03-25 09:52:16 208,896 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2004-08-10 12:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-03-21 22:25:52 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-03-25 10:50 53312 --a------ C:\WINDOWS\system32\gtnwsyiy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-21 22:25 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 13:59 16206848 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 14:50 88204 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 13:26 266240 C:\WINDOWS\system32\TPSMain.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-10 23:02:45 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 09:45]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 13:47]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 09:32:00 C:\WINDOWS\Tasks\Check Updates for MSN Search Toolbar.job"
- C:\Program Files\MSN Toolbar Suite\MSNTBUP.EXE
"2008-02-22 20:54:23 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Simon.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-24 12:03:12 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 10:04:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-26 10:07:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 10:07:12
ComboFix2.txt 2008-03-25 09:41:12
ComboFix3.txt 2008-03-22 09:09:15
.
2008-03-12 22:44:38 --- E O F ---


And a HJT log:
ComboFix 08-03-21.1 - Simon 2008-03-26 9:57:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.614 [GMT 0:00]
Running from: C:\Documents and Settings\Simon\My Documents\Download\ComboFix.exe
Command switches used :: C:\Documents and Settings\Simon\My Documents\Download\CFScript.txt
* Created a new restore point

FILE ::
C:\83.tmp
C:\84.tmp
C:\88.tmp
C:\89.tmp
C:\8D.tmp
C:\8E.tmp
C:\92.tmp
C:\93.tmp
C:\94.tmp
C:\99.tmp
C:\9A.tmp
C:\9F.tmp
C:\A4.tmp
C:\WINDOWS\system32\aknbvqab.ini
C:\WINDOWS\system32\eghtctwp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\83.tmp
C:\84.tmp
C:\88.tmp
C:\89.tmp
C:\8D.tmp
C:\8E.tmp
C:\92.tmp
C:\93.tmp
C:\94.tmp
C:\99.tmp
C:\9A.tmp
C:\9F.tmp
C:\A4.tmp
C:\WINDOWS\BM13099a32.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aknbvqab.ini
C:\WINDOWS\system32\cetoqwlx.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\eghtctwp.ini
C:\WINDOWS\system32\euxavvai.dll
C:\WINDOWS\system32\lnvuplps.dll
C:\WINDOWS\system32\splpuvnl.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 09:56 . 2008-03-26 09:56 3,631 --a------ C:\A.tmp
2008-03-26 09:55 . 2008-03-26 09:55 <DIR> d-------- C:\ComboFix(2)
2008-03-26 09:55 . 2008-03-26 09:55 3,631 --a------ C:\5.tmp
2008-03-25 10:50 . 2008-03-25 10:50 53,312 --a------ C:\WINDOWS\system32\gtnwsyiy.dll
2008-03-25 09:51 . 2008-03-25 09:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-25 09:43 . 2008-03-25 10:04 <DIR> d-------- C:\SDFix
2008-03-25 09:14 . 2008-03-25 09:14 <DIR> d-------- C:\ComboFix(3)
2008-03-22 09:46 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 11:42 . 2008-03-18 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-18 11:30 . 2008-03-18 11:30 <DIR> d-------- C:\Deckard
2008-03-17 21:15 . 2008-03-22 12:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-12 22:44 . 2008-03-12 22:44 366 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-01 15:49 . 2008-03-01 15:51 <DIR> d-------- C:\Program Files\SopCast
2008-02-29 14:58 . 2006-06-03 11:40 33,792 -----c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-28 23:07 . 2008-02-28 23:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 23:07 . 2008-02-28 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 16:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-28 16:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-28 16:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-28 16:59 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-28 16:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-28 16:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-25 13:33 --------- d-----w C:\Documents and Settings\Simon\Application Data\uTorrent
2008-03-25 09:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 09:31 --------- d-----w C:\Program Files\PowerISO
2008-03-25 09:31 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-03-22 12:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 22:25 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-03-17 20:26 --------- d-----w C:\Program Files\Java
2008-03-17 01:24 38,492 ----a-w C:\Documents and Settings\Simon\Application Data\wklnhst.dat
2008-03-05 09:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-04 14:49 --------- d-----w C:\Documents and Settings\Simon\Application Data\LimeWire
2008-03-04 14:48 --------- d-----w C:\Program Files\LimeWire
2008-02-28 23:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 09:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 13:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 08:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-28 09:02 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-28 08:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 08:54 --------- d-----w C:\Program Files\KONAMI
2008-01-03 09:03 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-03 09:03 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-03 09:03 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
.
<pre>
----a-w		   107,112 2008-03-26 09:28:46  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   517,768 2008-03-10 18:47:45  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w		 6,731,312 2008-01-02 08:16:36  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas		.exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-03-22_ 9.08.52.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 06:28:52 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-25 09:52:43 6,959,104 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-25 09:52:43 208,896 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-25 06:28:52 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-25 09:52:16 6,959,104 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-03-25 09:52:16 208,896 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2004-08-10 12:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-03-21 22:25:52 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-03-25 10:50 53312 --a------ C:\WINDOWS\system32\gtnwsyiy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-21 22:25 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 13:59 16206848 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 14:50 88204 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 13:26 266240 C:\WINDOWS\system32\TPSMain.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2007-01-10 23:02:45 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 09:45]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 13:47]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 09:32:00 C:\WINDOWS\Tasks\Check Updates for MSN Search Toolbar.job"
- C:\Program Files\MSN Toolbar Suite\MSNTBUP.EXE
"2008-02-22 20:54:23 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Simon.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-24 12:03:12 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 10:04:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-26 10:07:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 10:07:12
ComboFix2.txt 2008-03-25 09:41:12
ComboFix3.txt 2008-03-22 09:09:15
.
2008-03-12 22:44:38 --- E O F ---


Afraid I don't have the disk for the Norton Anti-Virus 2006 as I downloaded it straight from the Norton website so they never sent me a disk. I do however have the disk for Norton Systemworks. I think I have them both running on the laptop at the same time, and considering the Anit-Virus is from 2006 and hasn't had updates for a while, is it preferable to uninstall that, and not to re-install it, and just to have Norton Systemworks running on its own from now on?

Thanks again

Simonlebon

#11 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:49 PM

Posted 26 March 2008 - 05:44 PM

Lets have a peek for something here

Please download Navilog1 by IL-MAFIOSO:
http://pagesperso-orange.fr/il.mafioso/Navifix/Navilog1.exe
(*Alternate download location Here)

* Save it to your Desktop.
* Double-click on Navilog1.exe to install the program.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double-click on the Navilog1 shortcut on your Desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time).
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

Could you post a HJT log as well please

#12 simonlebon

simonlebon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 27 March 2008 - 07:28 AM

Here's the fixnavi one:

Search Navipromo version 3.5.1 began on 27/03/2008 at 12:14:12.88

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Actual User Account : "Simon"

Updated on 23.03.2008 at 22h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 6.0.2900.2180
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***



*** Search folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***




*** Search folders in "C:\Documents and Settings\Simon\applic~1" ***



*** Search folders in "C:\Documents and Settings\Simon\locals~1\applic~1" ***



*** Search folders in "C:\Documents and Settings\Simon\startm~1\programs" ***


*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

No file found



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in "C:\Documents and Settings\Simon\locals~1\applic~1" *

* Scan in "C:\docume~1\Administrator\locals~1\applic~1" *



*** Search files ***




*** Search specific Registry keys ***


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In C:\WINDOWS\system32 :


* In "C:\Documents and Settings\Simon\locals~1\applic~1" :


* In ""C:\docume~1\Administrator\locals~1\applic~1"" :


3)Certificates Search :

Egroup certificate not found !
Electronic-Group certificate not found !
OOO-Favorit certificate not found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :

C:\WINDOWS\system32\vycdd.ini2 found ! Possible Vundo infection, not cleaned with this tool !


*** Search completed on 27/03/2008 at 12:18:17.96 ***


And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:23, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcyv.exe
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [BM13099a32] Rundll32.exe "C:\WINDOWS\system32\nbavnwxe.dll",s
O4 - HKLM\..\Run: [103aa9ae] rundll32.exe "C:\WINDOWS\system32\dgnpfskc.dll",b
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/229?95313124e5994561b0b22a57295b4ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/230?95313124e5994561b0b22a57295b4ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 10627 bytes


Thanks!

Simonlebon

#13 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:49 PM

Posted 27 March 2008 - 05:45 PM

OK we are gaining on it

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.


#14 simonlebon

simonlebon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 28 March 2008 - 04:02 AM

HEy Don77

I'm ssure we are getting there bit by bit

Here's the Vundofix log:


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 19:19:44 24/12/2007

Listing files found while scanning....

C:\WINDOWS\avp .exe
C:\WINDOWS\avp .exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\avp .exe
C:\WINDOWS\avp .exe Has been deleted!

Attempting to delete C:\WINDOWS\avp .exe
C:\WINDOWS\avp .exe Has been deleted!

Attempting to delete C:\WINDOWS\lsass.exe
C:\WINDOWS\lsass.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\ddcyv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\vycdd.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 12:10:25 03/01/2008

Listing files found while scanning....

C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ddcyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyv.exe
C:\WINDOWS\system32\ddcyv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\vycdd.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.3

Scan started at 23:34:53 27/03/2008

Listing files found while scanning....

C:\WINDOWS\system32\gtnwsyiy.dll
C:\WINDOWS\system32\lpqnntkq.dll
C:\WINDOWS\system32\nbavnwxe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gtnwsyiy.dll
C:\WINDOWS\system32\gtnwsyiy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lpqnntkq.dll
C:\WINDOWS\system32\lpqnntkq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nbavnwxe.dll
C:\WINDOWS\system32\nbavnwxe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V7.0.3

Scan started at 23:50:41 27/03/2008

Listing files found while scanning....

C:\WINDOWS\system32\nbavnwxe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nbavnwxe.dll
C:\WINDOWS\system32\nbavnwxe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!


And a new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:57:08, on 28/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcyv.exe
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [103aa9ae] rundll32.exe "C:\WINDOWS\system32\dgnpfskc.dll",b
O4 - HKLM\..\Run: [BM13099a32] Rundll32.exe "C:\WINDOWS\system32\nbavnwxe.dll",s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\KHost.exe -all
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/229?95313124e5994561b0b22a57295b4ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\en-gb\msntabres.dll.mui/230?95313124e5994561b0b22a57295b4ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 10816 bytes



The performance of the laptop has been very slow since running Vundofix, and as far as a I can tell the problems wih the internet speed are still there unfortunately!

Cheers
Simonlebon

#15 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:49 PM

Posted 28 March 2008 - 06:05 PM

Hello simonlebon
The machine has/had some nasty infections on it but as I said we are gaining on it
  • Open a new notepad window
  • Paste the list of files from the quote box below into the notepad window.

    C:\WINDOWS\system32\dgnpfskc.dll
    C:\WINDOWS\system32\nbavnwxe.dll

  • Save this as vundofix.vft and Save as type "all files".
  • Double-click VundoFix.exe to run it.
  • Drag vundofix.vft onto the listbox (white box) of VundoFix.
  • Click the "Remove Vundo" button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting


Next
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post back the vundofix txt. a fresh HJT log and the log from Superantispyware please




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users