Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups And Internet Very Random


  • This topic is locked This topic is locked
15 replies to this topic

#1 TomJ

TomJ

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 04 June 2008 - 06:27 AM

Hello Everyone, I have a tohsiba laptop that I am having issues with. I am getting random pop ups and I cant access some web sites and the computer is very slow. I believe I have some sort of a virus or trojan. I have scanned with my norton antivirus and spybot search and destrroy. Can you please let me know what you think.

Thank you

Here is the hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:16 AM, on 6/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\System32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.46.16.119:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [68dad981] rundll32.exe "C:\WINDOWS\System32\rcbbjegb.dll",b
O4 - HKLM\..\Run: [BM6be9ea1d] Rundll32.exe "C:\WINDOWS\System32\xkfmjdml.dll",s
O4 - HKLM\..\RunServices: [RNBOStart] c:\windows\system32\rnbosent\sentstrt.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400501926
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400486735
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 20484 bytes

BC AdBot (Login to Remove)

 


#2 TomJ

TomJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 04 June 2008 - 10:02 AM

Hi, I think it has something to do with the rundll32.exe, as I see it running in the task manager and also in the msconfig in the startup as c:\Rundll32.exe "c:\windows\System32\xkfmjdml.dll. I also see it as NcVpl RUNDLL32.EXE in the same folder.


Does this appear like something is wrong.


Thank you

Edited by TomJ, 04 June 2008 - 10:04 AM.


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 AM

Posted 04 June 2008 - 02:54 PM

Hello TomJ,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 TomJ

TomJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 04 June 2008 - 05:42 PM

Hello, Thank you very much for your time and help. I appreciate it deeply.

Here are the logs:

ComboFix 08-06-03.1 - Thomas 2008-06-04 18:03:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.410 [GMT -4:00]
Running from: C:\Documents and Settings\Thomas\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6be9ea1d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awttrQjk.dll
C:\WINDOWS\system32\bgejbbcr.ini
C:\WINDOWS\system32\dhdquwlk.ini
C:\WINDOWS\system32\ecrngxvb.dll
C:\WINDOWS\system32\ekelqtvs.dll
C:\WINDOWS\system32\fOoYHkkj.ini
C:\WINDOWS\system32\fOoYHkkj.ini2
C:\WINDOWS\system32\fPsvDcdd.ini
C:\WINDOWS\system32\fPsvDcdd.ini2
C:\WINDOWS\system32\GMmoWvut.ini
C:\WINDOWS\system32\GMmoWvut.ini2
C:\WINDOWS\system32\iifebYSj.dll
C:\WINDOWS\system32\ivwafqhx.dll
C:\WINDOWS\system32\kjQrttwa.ini
C:\WINDOWS\system32\kjQrttwa.ini2
C:\WINDOWS\system32\kmafvnwx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnlJyyw.dll
C:\WINDOWS\system32\opnlMcax.dll
C:\WINDOWS\system32\ovsncrmk.ini
C:\WINDOWS\system32\qoMeDSlm.dll
C:\WINDOWS\system32\QpstCJjl.ini
C:\WINDOWS\system32\QpstCJjl.ini2
C:\WINDOWS\system32\qtcwgltu.ini
C:\WINDOWS\system32\rcbbjegb.dll
C:\WINDOWS\system32\rsrjupns.ini
C:\WINDOWS\system32\sgyfhuki.ini
C:\WINDOWS\system32\urqOFyXq.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-04 14:17 . 2008-06-04 14:17 132,608 --a------ C:\WINDOWS\system32\fvicvsri.dll
2008-06-04 14:14 . 2008-06-04 14:14 126,976 --a------ C:\WINDOWS\system32\knyfonct.dll
2008-06-04 14:14 . 2008-06-04 14:14 116,736 --a------ C:\WINDOWS\system32\klwuqdhd.dll
2008-06-04 13:40 . 2008-06-04 13:52 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-04 12:02 . 2008-06-04 12:02 132,608 --a------ C:\WINDOWS\system32\mlcycigg.dll
2008-06-04 11:59 . 2008-06-04 11:59 126,976 --a------ C:\WINDOWS\system32\hxeijynd.dll
2008-06-03 22:43 . 2008-06-03 20:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-03 20:40 . 2008-06-04 08:05 <DIR> d-------- C:\Documents and Settings\Thomas\.housecall6.6
2008-06-02 23:47 . 2008-06-04 18:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-02 23:47 . 2008-06-04 18:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-02 22:25 . 2008-06-04 13:00 443 --a------ C:\WINDOWS\wininit.ini
2008-06-02 21:28 . 2008-06-02 21:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-02 21:28 . 2008-06-02 21:28 2,547 --a------ C:\WINDOWS\unins000.dat
2008-06-01 17:08 . 2008-06-01 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-26 15:07 . 2008-05-26 15:08 <DIR> d-------- C:\Program Files\Toyota Diagnostics
2008-05-26 15:07 . 2006-12-13 13:03 2,335,240 --a------ C:\WINDOWS\system32\cwui.ocx
2008-05-26 15:07 . 2000-05-23 01:59 421,376 --a------ C:\WINDOWS\system32\CommX.ocx
2008-05-26 15:07 . 2006-01-17 09:45 299,464 -ra------ C:\WINDOWS\system32\drivers\windrvr6.sys
2008-05-26 15:07 . 2003-07-15 02:59 167,936 --a------ C:\WINDOWS\system32\VtxComm.dll
2008-05-26 15:07 . 1999-01-21 17:00 61,440 --a------ C:\WINDOWS\system32\RCF.DLL
2008-05-26 15:07 . 2006-12-13 13:03 40,960 --a------ C:\WINDOWS\system32\EasyScrollBarEx.ocx
2008-05-25 23:42 . 2008-05-25 23:42 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-25 23:42 . 2008-04-04 19:01 91,520 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-05-25 23:42 . 2008-05-25 23:42 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-25 23:42 . 2008-05-25 23:42 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-25 23:42 . 2008-05-25 23:42 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-25 23:41 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-05-25 22:53 . 2008-05-25 23:47 <DIR> d-------- C:\programme
2008-05-18 20:28 . 2008-05-18 20:28 <DIR> d-------- C:\Program Files\7-Zip
2008-05-07 21:16 . 2008-05-07 21:16 <DIR> d-------- C:\Program Files\PCMSCAN
2008-05-06 06:14 . 2008-05-06 06:14 <DIR> d-------- C:\Program Files\IFS
2008-05-04 20:24 . 2008-03-03 20:13 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-05-04 20:24 . 2008-03-03 20:10 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-05-04 20:24 . 2008-03-03 20:10 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-05-04 20:24 . 2008-03-03 20:10 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-05-04 20:23 . 2008-03-03 20:11 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-05-04 20:23 . 2008-03-03 20:12 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-05-04 20:23 . 2008-03-03 20:10 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-05-04 20:23 . 2008-03-03 20:10 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-05-04 20:23 . 2008-03-03 20:14 25,136 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-05-04 20:23 . 2008-03-03 20:13 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-05-04 20:23 . 2008-05-04 20:23 1,024 --a------ C:\.rnd
2008-05-04 20:19 . 2008-05-04 20:19 <DIR> d-------- C:\Program Files\VMware
2008-05-04 20:19 . 2008-05-04 20:19 <DIR> d-------- C:\Program Files\Common Files\VMware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 21:52 --------- d-----w C:\Documents and Settings\Thomas\Application Data\DMCache
2008-06-04 21:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-04 21:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-04 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 09:56 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 02:15 --------- d-----w C:\Documents and Settings\Thomas\Application Data\VMware
2008-06-04 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-06-03 22:06 --------- d-----w C:\Documents and Settings\Thomas\Application Data\mIRC
2008-06-03 03:48 --------- d-----w C:\Program Files\mIRC
2008-06-03 01:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 00:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 01:08 --------- d-----w C:\Program Files\eMule
2008-06-01 23:57 --------- d-----w C:\Documents and Settings\Thomas\Application Data\uTorrent
2008-06-01 23:00 --------- d-----w C:\Program Files\Bit Che
2008-05-29 22:23 --------- d-----w C:\Program Files\speedDIAL
2008-05-26 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 03:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-26 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 03:42 --------- d-----w C:\Program Files\Symantec
2008-05-23 20:55 --------- d-----w C:\Documents and Settings\Thomas\Application Data\IDM
2008-05-08 01:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-29 10:27 32 ----a-w C:\WINDOWS\system32\drivers\mshcmd.sys.
2008-04-20 21:32 --------- d-----w C:\Program Files\Java
2008-04-20 20:41 --------- d-----w C:\Program Files\DIFX
2008-04-13 15:19 --------- d-----w C:\Program Files\FlashGet
2008-04-04 23:03 91,632 ----a-w C:\WINDOWS\system32\nts.dll
2008-04-04 23:03 83,440 ----a-w C:\WINDOWS\system32\pds.dll
2008-04-04 23:03 83,384 ----a-w C:\WINDOWS\system32\loc32vc0.dll
2008-04-04 23:03 46,584 ----a-w C:\WINDOWS\system32\msgsys.dll
2008-04-04 23:03 34,288 ----a-w C:\WINDOWS\system32\cba.dll
2008-04-04 22:59 40,832 ----a-w C:\WINDOWS\system32\drivers\WPSDRVnt.sys
2008-04-04 22:58 357,760 ----a-w C:\WINDOWS\system32\sysfer.dll
2008-04-04 22:58 107,904 ----a-w C:\WINDOWS\system32\SymVPN.dll
2008-04-04 22:55 48,000 ----a-w C:\WINDOWS\system32\FwsVpn.dll
2008-04-04 06:45 38,632 ----a-w C:\WINDOWS\system32\drivers\WGX.SYS
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0097DD39-C633-4F24-A180-524DAF855D92}]
C:\WINDOWS\System32\ljJCtspQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201F0208-AD86-4CFC-A4B1-95E04E6217F2}]
C:\WINDOWS\System32\tuvWomMG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{202b1b9d-9855-4011-934b-51a2a6d5b6e9}]
2008-06-04 14:17 132608 --a------ C:\WINDOWS\System32\fvicvsri.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-30 08:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-03-09 20:31 2586032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54 48128]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 17:12 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"nwiz"="nwiz.exe" [2004-07-09 18:58 790528 C:\WINDOWS\system32\nwiz.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 88363 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TFncKy"="TFncKy.exe" []
"TFNF5"="TFNF5.exe" [2004-06-28 13:16 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 23:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-06-29 21:04 1077326]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 16:45 135168]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"TOSHIBA Picture Enhancement Utility"="C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-07-16 18:24 638976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-06-17 04:04 122939]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2003-10-20 12:39 159744]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 06:36 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-19 16:26 77824]
"CFSServ.exe"="CFSServ.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-19 16:25 26112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2003-07-30 08:00 145408]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-09 18:58 3665920]
"68dad981"="C:\WINDOWS\System32\klwuqdhd.dll" [2008-06-04 14:14 116736]
"BM6be9ea1d"="C:\WINDOWS\System32\knyfonct.dll" [2008-06-04 14:14 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RNBOStart"="c:\windows\system32\rnbosent\sentstrt.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe [2005-03-03 12:34:24 315392]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-07-19 14:52:19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-16 20:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk
backup=C:\WINDOWS\pss\NetScreen-Remote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=C:\WINDOWS\pss\PdaNet Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^snipemon.LNK]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\snipemon.LNK
backup=C:\WINDOWS\pss\snipemon.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6be9ea1d]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=

R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
R2 Crypto;Crypto;C:\WINDOWS\System32\drivers\Crypto.sys [2000-07-10 17:01]
R2 DirectNT;DirectNT;C:\WINDOWS\System32\drivers\DirectNT.sys [1996-12-04 18:37]
R2 EWA net DB Core;EWA net DB Core;C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB EPC;EWA net DB EPC;C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB WIS;EWA net DB WIS;C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe [2003-11-05 12:02]
R2 EWA net Server;EWA net Server;C:\Program Files\EWA net\server\bin\tomcat.exe [2003-07-31 19:29]
R2 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\System32\Drivers\IPSECDRV.sys [2002-04-04 15:01]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\System32\DRIVERS\vap.sys [2002-02-27 14:59]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\System32\DRIVERS\pnetmdm.sys [2006-01-12 14:04]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\System32\DRIVERS\tosrfec.sys [2004-05-17 18:18]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;C:\WINDOWS\System32\DRIVERS\ttv200x.sys [2004-07-10 04:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\System32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 18:16:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\konfig]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\license]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mcp]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\eHome\ehsched.exe
C:\Program Files\Toshiba\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
.
**************************************************************************
.
Completion time: 2008-06-04 18:24:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 22:23:17

Pre-Run: 42,023,321,600 bytes free
Post-Run: 41,954,234,368 bytes free

301
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:03 PM, on 6/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPSMain.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\ehome\ehSched.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.46.16.119:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {0097DD39-C633-4F24-A180-524DAF855D92} - C:\WINDOWS\System32\ljJCtspQ.dll (file missing)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {201F0208-AD86-4CFC-A4B1-95E04E6217F2} - C:\WINDOWS\System32\tuvWomMG.dll (file missing)
O2 - BHO: {9e6b5d6a-2a15-b439-1104-5589d9b1b202} - {202b1b9d-9855-4011-934b-51a2a6d5b6e9} - C:\WINDOWS\System32\fvicvsri.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [68dad981] rundll32.exe "C:\WINDOWS\System32\klwuqdhd.dll",b
O4 - HKLM\..\Run: [BM6be9ea1d] Rundll32.exe "C:\WINDOWS\System32\knyfonct.dll",s
O4 - HKLM\..\RunServices: [RNBOStart] c:\windows\system32\rnbosent\sentstrt.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400501926
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400486735
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 17381 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 AM

Posted 04 June 2008 - 06:13 PM

Hello,

You're welcome. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0097DD39-C633-4F24-A180-524DAF855D92} - C:\WINDOWS\System32\ljJCtspQ.dll (file missing)
O2 - BHO: (no name) - {201F0208-AD86-4CFC-A4B1-95E04E6217F2} - C:\WINDOWS\System32\tuvWomMG.dll (file missing)
O2 - BHO: {9e6b5d6a-2a15-b439-1104-5589d9b1b202} - {202b1b9d-9855-4011-934b-51a2a6d5b6e9} - C:\WINDOWS\System32\fvicvsri.dll
O4 - HKLM\..\Run: [68dad981] rundll32.exe "C:\WINDOWS\System32\klwuqdhd.dll",b
O4 - HKLM\..\Run: [BM6be9ea1d] Rundll32.exe "C:\WINDOWS\System32\knyfonct.dll",s
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following files (if they exist):

C:\WINDOWS\System32\fvicvsri.dll
C:\WINDOWS\System32\klwuqdhd.dll
C:\WINDOWS\System32\knyfonct.dll

Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 TomJ

TomJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 04 June 2008 - 07:40 PM

Hello tea, let me first say Thank you very much :thumbsup: . I did exactly as you said and it is running 110%. It appears faster than it was before and I am not having any issues at all. Thank you. Please let me know how I can help you if there is a way to repay you.

I have 2 questions, What do you suggest is the best antivirus and trojan/worm program I should be running? I am using norton right now.

Here are the logs, Please let me know how it looks. Thank you

Malwarebytes' Anti-Malware 1.14
Database version: 826

8:14:15 PM 6/4/2008
mbam-log-6-4-2008 (20-14-15).txt

Scan type: Quick Scan
Objects scanned: 38130
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM6be9ea1d (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\knyfonct.dll (Trojan.Agent) -> Delete on reboot.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:58 PM, on 6/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\System32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.46.16.119:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [RNBOStart] c:\windows\system32\rnbosent\sentstrt.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400501926
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400486735
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 16780 bytes

Edited by TomJ, 04 June 2008 - 07:41 PM.


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 AM

Posted 05 June 2008 - 11:49 AM

Hello,

That's excellent to know! :thumbsup:

Just a tad bit of tidying up left to do now.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\System32\ljJCtspQ.dll
C:\WINDOWS\System32\tuvWomMG.dll
C:\WINDOWS\System32\fvicvsri.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0097DD39-C633-4F24-A180-524DAF855D92}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201F0208-AD86-4CFC-A4B1-95E04E6217F2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{202b1b9d-9855-4011-934b-51a2a6d5b6e9}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Let's see if we can get 120% out of it now. :)

The following are not malware, but fixing them with HijackThis will improve your system's speed. None are necessary at startup, and may be started manually at any time. This is up to you. :)

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

I'll answer your questions next post. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 TomJ

TomJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 05 June 2008 - 07:47 PM

Hi tea, thank you again. I did exactly what you said and everthing is going great except when I rebooted norton said it found this "Trojan.Vundo" and had me reboot and it dont come back after that.

The machine is running better than it was when new which was a few years ago :thumbsup: . Here is the combofix.txt and I also put a new hijackthis file also.. Thank you, I look foward to reading your next post to your suggestions.

ComboFix 08-06-03.1 - Thomas 2008-06-05 18:49:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.422 [GMT -4:00]
Running from: C:\Documents and Settings\Thomas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Thomas\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\fvicvsri.dll
C:\WINDOWS\System32\ljJCtspQ.dll
C:\WINDOWS\System32\tuvWomMG.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Malwarebytes
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 20:04 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-04 20:04 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 18:24 . 2008-06-04 18:24 294 ---hs---- C:\WINDOWS\system32\dhdquwlk.ini
2008-06-04 18:24 . 2008-06-04 18:24 0 --a------ C:\WINDOWS\BM6be9ea1d.xml
2008-06-04 13:40 . 2008-06-04 13:52 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-04 12:02 . 2008-06-04 12:02 132,608 --a------ C:\WINDOWS\system32\mlcycigg.dll
2008-06-04 11:59 . 2008-06-04 11:59 126,976 --a------ C:\WINDOWS\system32\hxeijynd.dll
2008-06-03 22:43 . 2008-06-03 20:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-03 20:40 . 2008-06-04 08:05 <DIR> d-------- C:\Documents and Settings\Thomas\.housecall6.6
2008-06-02 23:47 . 2008-06-05 19:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-02 23:47 . 2008-06-05 18:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-02 22:25 . 2008-06-04 13:00 443 --a------ C:\WINDOWS\wininit.ini
2008-06-02 21:28 . 2008-06-02 21:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-02 21:28 . 2008-06-02 21:28 2,547 --a------ C:\WINDOWS\unins000.dat
2008-06-01 17:08 . 2008-06-01 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-26 15:07 . 2008-05-26 15:08 <DIR> d-------- C:\Program Files\Toyota Diagnostics
2008-05-26 15:07 . 2006-12-13 13:03 2,335,240 --a------ C:\WINDOWS\system32\cwui.ocx
2008-05-26 15:07 . 2000-05-23 01:59 421,376 --a------ C:\WINDOWS\system32\CommX.ocx
2008-05-26 15:07 . 2006-01-17 09:45 299,464 -ra------ C:\WINDOWS\system32\drivers\windrvr6.sys
2008-05-26 15:07 . 2003-07-15 02:59 167,936 --a------ C:\WINDOWS\system32\VtxComm.dll
2008-05-26 15:07 . 1999-01-21 17:00 61,440 --a------ C:\WINDOWS\system32\RCF.DLL
2008-05-26 15:07 . 2006-12-13 13:03 40,960 --a------ C:\WINDOWS\system32\EasyScrollBarEx.ocx
2008-05-25 23:42 . 2008-05-25 23:42 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-25 23:42 . 2008-04-04 19:01 91,520 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-05-25 23:42 . 2008-05-25 23:42 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-25 23:42 . 2008-05-25 23:42 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-25 23:42 . 2008-05-25 23:42 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-25 23:41 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-05-25 22:53 . 2008-05-25 23:47 <DIR> d-------- C:\programme
2008-05-18 20:28 . 2008-05-18 20:28 <DIR> d-------- C:\Program Files\7-Zip
2008-05-07 21:16 . 2008-05-07 21:16 <DIR> d-------- C:\Program Files\PCMSCAN
2008-05-06 06:14 . 2008-05-06 06:14 <DIR> d-------- C:\Program Files\IFS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 23:00 --------- d-----w C:\Documents and Settings\Thomas\Application Data\DMCache
2008-06-05 22:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-05 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-05 00:00 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-04 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 02:15 --------- d-----w C:\Documents and Settings\Thomas\Application Data\VMware
2008-06-04 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-06-03 22:06 --------- d-----w C:\Documents and Settings\Thomas\Application Data\mIRC
2008-06-03 03:48 --------- d-----w C:\Program Files\mIRC
2008-06-03 01:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 00:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 01:08 --------- d-----w C:\Program Files\eMule
2008-06-01 23:57 --------- d-----w C:\Documents and Settings\Thomas\Application Data\uTorrent
2008-06-01 23:00 --------- d-----w C:\Program Files\Bit Che
2008-05-29 22:23 --------- d-----w C:\Program Files\speedDIAL
2008-05-26 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 03:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-26 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 03:42 --------- d-----w C:\Program Files\Symantec
2008-05-23 20:55 --------- d-----w C:\Documents and Settings\Thomas\Application Data\IDM
2008-05-08 01:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 00:19 --------- d-----w C:\Program Files\VMware
2008-05-05 00:19 --------- d-----w C:\Program Files\Common Files\VMware
2008-04-29 10:27 32 ----a-w C:\WINDOWS\system32\drivers\mshcmd.sys.
2008-04-20 21:32 --------- d-----w C:\Program Files\Java
2008-04-20 20:41 --------- d-----w C:\Program Files\DIFX
2008-04-13 15:19 --------- d-----w C:\Program Files\FlashGet
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-06-04_18.22.54.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 22:15:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 22:55:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-04 21:48:03 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-05 22:55:58 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-04 21:48:03 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-05 22:55:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-04 21:48:03 114,688 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 22:55:58 114,688 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-05 00:23:15 56,642 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-04 22:20:56 56,642 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-05 00:23:16 390,062 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-04 22:20:56 390,062 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-05 22:57:05 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a4c.dat
+ 2008-06-05 22:56:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c58.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24 65536]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-30 08:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [ ]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-03-09 20:31 2586032]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54 48128]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 17:12 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"nwiz"="nwiz.exe" [2004-07-09 18:58 790528 C:\WINDOWS\system32\nwiz.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 88363 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TFncKy"="TFncKy.exe" []
"TFNF5"="TFNF5.exe" [2004-06-28 13:16 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-06-01 23:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-06-29 21:04 1077326]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 16:45 135168]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"TOSHIBA Picture Enhancement Utility"="C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-07-16 18:24 638976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-06-17 04:04 122939]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2003-10-20 12:39 159744]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 06:36 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-19 16:26 77824]
"CFSServ.exe"="CFSServ.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-19 16:25 26112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2003-07-30 08:00 145408]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-09 18:58 3665920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RNBOStart"="c:\windows\system32\rnbosent\sentstrt.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe [2005-03-03 12:34:24 315392]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-07-19 14:52:19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-16 20:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk
backup=C:\WINDOWS\pss\NetScreen-Remote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=C:\WINDOWS\pss\PdaNet Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^snipemon.LNK]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\snipemon.LNK
backup=C:\WINDOWS\pss\snipemon.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6be9ea1d]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=

R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
R2 Crypto;Crypto;C:\WINDOWS\System32\drivers\Crypto.sys [2000-07-10 17:01]
R2 DirectNT;DirectNT;C:\WINDOWS\System32\drivers\DirectNT.sys [1996-12-04 18:37]
R2 EWA net DB Core;EWA net DB Core;C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB EPC;EWA net DB EPC;C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB WIS;EWA net DB WIS;C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe [2003-11-05 12:02]
R2 EWA net Server;EWA net Server;C:\Program Files\EWA net\server\bin\tomcat.exe [2003-07-31 19:29]
R2 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\System32\Drivers\IPSECDRV.sys [2002-04-04 15:01]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\System32\DRIVERS\vap.sys [2002-02-27 14:59]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\System32\DRIVERS\pnetmdm.sys [2006-01-12 14:04]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\System32\DRIVERS\tosrfec.sys [2004-05-17 18:18]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;C:\WINDOWS\System32\DRIVERS\ttv200x.sys [2004-07-10 04:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\System32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 18:59:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\konfig]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\license]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mcp]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehsched.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\opt\mbcase\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Toshiba\ConfigFree\CFSServ.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DWHWizrd.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-06-05 19:09:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 23:08:55
ComboFix2.txt 2008-06-04 22:24:27

Pre-Run: 50,555,396,096 bytes free
Post-Run: 50,542,497,792 bytes free

276


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:03 PM, on 6/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\System32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.46.16.119:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [RNBOStart] c:\windows\system32\rnbosent\sentstrt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400501926
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400486735
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 15800 bytes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 AM

Posted 06 June 2008 - 07:39 PM

Hello,

Glad it's still running well. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\mlcycigg.dll
C:\WINDOWS\system32\hxeijynd.dll
C:\WINDOWS\system32\dhdquwlk.ini
C:\WINDOWS\BM6be9ea1d.xml


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 TomJ

TomJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 06 June 2008 - 11:08 PM

Hello tea, everything seems great. Thanks again. Here are the logs"


ComboFix 08-06-03.1 - Thomas 2008-06-06 23:56:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.495 [GMT -4:00]
Running from: C:\Documents and Settings\Thomas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Thomas\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM6be9ea1d.xml
C:\WINDOWS\system32\dhdquwlk.ini
C:\WINDOWS\system32\hxeijynd.dll
C:\WINDOWS\system32\mlcycigg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6be9ea1d.xml
C:\WINDOWS\system32\dhdquwlk.ini
C:\WINDOWS\system32\hxeijynd.dll
C:\WINDOWS\system32\mlcycigg.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-04 20:04 . 2008-06-05 20:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Malwarebytes
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 20:04 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-04 20:04 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 13:40 . 2008-06-04 13:52 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-03 22:43 . 2008-06-03 20:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-03 20:40 . 2008-06-04 08:05 <DIR> d-------- C:\Documents and Settings\Thomas\.housecall6.6
2008-06-02 23:47 . 2008-06-05 20:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-02 23:47 . 2008-06-05 18:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-02 22:25 . 2008-06-04 13:00 443 --a------ C:\WINDOWS\wininit.ini
2008-06-02 21:28 . 2008-06-02 21:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-02 21:28 . 2008-06-02 21:28 2,547 --a------ C:\WINDOWS\unins000.dat
2008-06-01 17:08 . 2008-06-01 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-26 15:07 . 2008-05-26 15:08 <DIR> d-------- C:\Program Files\Toyota Diagnostics
2008-05-26 15:07 . 2006-12-13 13:03 2,335,240 --a------ C:\WINDOWS\system32\cwui.ocx
2008-05-26 15:07 . 2000-05-23 01:59 421,376 --a------ C:\WINDOWS\system32\CommX.ocx
2008-05-26 15:07 . 2006-01-17 09:45 299,464 -ra------ C:\WINDOWS\system32\drivers\windrvr6.sys
2008-05-26 15:07 . 2003-07-15 02:59 167,936 --a------ C:\WINDOWS\system32\VtxComm.dll
2008-05-26 15:07 . 1999-01-21 17:00 61,440 --a------ C:\WINDOWS\system32\RCF.DLL
2008-05-26 15:07 . 2006-12-13 13:03 40,960 --a------ C:\WINDOWS\system32\EasyScrollBarEx.ocx
2008-05-25 23:42 . 2008-05-25 23:42 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-25 23:42 . 2008-04-04 19:01 91,520 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-05-25 23:42 . 2008-05-25 23:42 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-25 23:42 . 2008-05-25 23:42 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-25 23:42 . 2008-05-25 23:42 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-25 23:41 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-05-25 22:53 . 2008-05-25 23:47 <DIR> d-------- C:\programme
2008-05-18 20:28 . 2008-05-18 20:28 <DIR> d-------- C:\Program Files\7-Zip
2008-05-07 21:16 . 2008-05-07 21:16 <DIR> d-------- C:\Program Files\PCMSCAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 01:06 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-06 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-06 02:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-06 02:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-06 02:32 --------- d-----w C:\Documents and Settings\Thomas\Application Data\DMCache
2008-06-04 02:15 --------- d-----w C:\Documents and Settings\Thomas\Application Data\VMware
2008-06-04 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-06-03 22:06 --------- d-----w C:\Documents and Settings\Thomas\Application Data\mIRC
2008-06-03 03:48 --------- d-----w C:\Program Files\mIRC
2008-06-03 01:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 00:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 01:08 --------- d-----w C:\Program Files\eMule
2008-06-01 23:57 --------- d-----w C:\Documents and Settings\Thomas\Application Data\uTorrent
2008-06-01 23:00 --------- d-----w C:\Program Files\Bit Che
2008-05-29 22:23 --------- d-----w C:\Program Files\speedDIAL
2008-05-26 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 03:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-26 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 03:42 --------- d-----w C:\Program Files\Symantec
2008-05-23 20:55 --------- d-----w C:\Documents and Settings\Thomas\Application Data\IDM
2008-05-08 01:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 10:14 --------- d-----w C:\Program Files\IFS
2008-05-05 00:19 --------- d-----w C:\Program Files\VMware
2008-05-05 00:19 --------- d-----w C:\Program Files\Common Files\VMware
2008-04-29 10:27 32 ----a-w C:\WINDOWS\system32\drivers\mshcmd.sys.
2008-04-20 21:32 --------- d-----w C:\Program Files\Java
2008-04-20 20:41 --------- d-----w C:\Program Files\DIFX
2008-04-13 15:19 --------- d-----w C:\Program Files\FlashGet
2008-04-04 23:03 91,632 ----a-w C:\WINDOWS\system32\nts.dll
2008-04-04 23:03 83,440 ----a-w C:\WINDOWS\system32\pds.dll
2008-04-04 23:03 83,384 ----a-w C:\WINDOWS\system32\loc32vc0.dll
2008-04-04 23:03 46,584 ----a-w C:\WINDOWS\system32\msgsys.dll
2008-04-04 23:03 34,288 ----a-w C:\WINDOWS\system32\cba.dll
2008-04-04 22:58 357,760 ----a-w C:\WINDOWS\system32\sysfer.dll
2008-04-04 22:58 107,904 ----a-w C:\WINDOWS\system32\SymVPN.dll
2008-04-04 22:55 48,000 ----a-w C:\WINDOWS\system32\FwsVpn.dll
.

------- Sigcheck -------

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-04_18.22.54.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 22:15:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 02:31:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-04 21:48:03 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-06 09:58:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-04 21:48:03 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-06 09:58:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-04 21:48:03 114,688 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-06 09:58:22 114,688 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-05 00:23:15 56,642 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-04 22:20:56 56,642 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-05 00:23:16 390,062 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-04 22:20:56 390,062 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-06 02:33:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_744.dat
+ 2008-06-06 02:33:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_838.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-30 08:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-03-09 20:31 2586032]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54 48128]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 17:12 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFncKy"="TFncKy.exe" []
"TFNF5"="TFNF5.exe" [2004-06-28 13:16 73728 C:\WINDOWS\system32\TFNF5.exe]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"TOSHIBA Picture Enhancement Utility"="C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-07-16 18:24 638976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-06-17 04:04 122939]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 06:36 86016]
"CFSServ.exe"="CFSServ.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-09 18:58 3665920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RNBOStart"="c:\windows\system32\rnbosent\sentstrt.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe [2005-03-03 12:34:24 315392]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-07-19 14:52:19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-16 20:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk
backup=C:\WINDOWS\pss\NetScreen-Remote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=C:\WINDOWS\pss\PdaNet Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^snipemon.LNK]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\snipemon.LNK
backup=C:\WINDOWS\pss\snipemon.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6be9ea1d]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=

R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
R2 Crypto;Crypto;C:\WINDOWS\System32\drivers\Crypto.sys [2000-07-10 17:01]
R2 DirectNT;DirectNT;C:\WINDOWS\System32\drivers\DirectNT.sys [1996-12-04 18:37]
R2 EWA net DB Core;EWA net DB Core;C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB EPC;EWA net DB EPC;C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB WIS;EWA net DB WIS;C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe [2003-11-05 12:02]
R2 EWA net Server;EWA net Server;C:\Program Files\EWA net\server\bin\tomcat.exe [2003-07-31 19:29]
R2 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\System32\Drivers\IPSECDRV.sys [2002-04-04 15:01]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\System32\DRIVERS\vap.sys [2002-02-27 14:59]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\System32\DRIVERS\pnetmdm.sys [2006-01-12 14:04]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\System32\DRIVERS\tosrfec.sys [2004-05-17 18:18]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;C:\WINDOWS\System32\DRIVERS\ttv200x.sys [2004-07-10 04:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\System32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 00:01:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\konfig]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\license]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mcp]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"
.
Completion time: 2008-06-07 0:03:42
ComboFix-quarantined-files.txt 2008-06-07 04:03:31
ComboFix2.txt 2008-06-05 23:09:07
ComboFix3.txt 2008-06-04 22:24:27

Pre-Run: 50,193,539,072 bytes free
Post-Run: 50,183,524,352 bytes free

228


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:40 AM, on 6/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\System32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.46.16.119:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [RNBOStart] c:\windows\system32\rnbosent\sentstrt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400501926
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400486735
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 15784 bytes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 AM

Posted 09 June 2008 - 01:24 AM

Hello,

That's good, and you're welcome. :)

One more time for this stubborn little key :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6be9ea1d]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. Hopefully it will be the last. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 TomJ

TomJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 10 June 2008 - 05:34 PM

Hello tea, sorry for the delay in responding. I did as you said. the system has been running excellent. Thank you

Here are the logs:

ComboFix 08-06-03.1 - Thomas 2008-06-10 18:08:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.470 [GMT -4:00]
Running from: C:\Documents and Settings\Thomas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Thomas\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-08 21:19 . 2008-06-08 21:19 <DIR> d-------- C:\Program Files\PCLinq2 High-Speed USB Bridge Cable
2008-06-07 09:43 . 2008-06-07 09:43 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Thinstall
2008-06-04 20:04 . 2008-06-05 20:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Malwarebytes
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 20:04 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-04 20:04 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 13:40 . 2008-06-04 13:52 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-03 22:43 . 2008-06-03 20:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-03 20:40 . 2008-06-04 08:05 <DIR> d-------- C:\Documents and Settings\Thomas\.housecall6.6
2008-06-02 23:47 . 2008-06-05 20:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-02 23:47 . 2008-06-05 18:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-02 22:25 . 2008-06-04 13:00 443 --a------ C:\WINDOWS\wininit.ini
2008-06-02 21:28 . 2008-06-02 21:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-02 21:28 . 2008-06-02 21:28 2,547 --a------ C:\WINDOWS\unins000.dat
2008-06-01 17:08 . 2008-06-01 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-26 15:07 . 2008-05-26 15:08 <DIR> d-------- C:\Program Files\Toyota Diagnostics
2008-05-26 15:07 . 2006-12-13 13:03 2,335,240 --a------ C:\WINDOWS\system32\cwui.ocx
2008-05-26 15:07 . 2000-05-23 01:59 421,376 --a------ C:\WINDOWS\system32\CommX.ocx
2008-05-26 15:07 . 2006-01-17 09:45 299,464 -ra------ C:\WINDOWS\system32\drivers\windrvr6.sys
2008-05-26 15:07 . 2003-07-15 02:59 167,936 --a------ C:\WINDOWS\system32\VtxComm.dll
2008-05-26 15:07 . 1999-01-21 17:00 61,440 --a------ C:\WINDOWS\system32\RCF.DLL
2008-05-26 15:07 . 2006-12-13 13:03 40,960 --a------ C:\WINDOWS\system32\EasyScrollBarEx.ocx
2008-05-25 23:42 . 2008-05-25 23:42 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-25 23:42 . 2008-04-04 19:01 91,520 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-05-25 23:42 . 2008-05-25 23:42 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-25 23:42 . 2008-05-25 23:42 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-25 23:42 . 2008-05-25 23:42 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-25 23:41 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-05-25 23:41 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-05-25 22:53 . 2008-05-25 23:47 <DIR> d-------- C:\programme
2008-05-18 20:28 . 2008-05-18 20:28 <DIR> d-------- C:\Program Files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 22:08 --------- d-----w C:\Documents and Settings\Thomas\Application Data\mIRC
2008-06-10 21:47 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-09 01:47 --------- d-----w C:\Program Files\mIRC
2008-06-09 01:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-09 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-06-09 01:44 --------- d-----w C:\Documents and Settings\Thomas\Application Data\DMCache
2008-06-09 01:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 22:46 --------- d-----w C:\Program Files\eMule
2008-06-08 22:38 --------- d-----w C:\Program Files\Bit Che
2008-06-06 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 02:15 --------- d-----w C:\Documents and Settings\Thomas\Application Data\VMware
2008-06-04 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-06-03 01:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 00:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-01 23:57 --------- d-----w C:\Documents and Settings\Thomas\Application Data\uTorrent
2008-05-29 22:23 --------- d-----w C:\Program Files\speedDIAL
2008-05-26 03:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-26 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 03:42 --------- d-----w C:\Program Files\Symantec
2008-05-23 20:55 --------- d-----w C:\Documents and Settings\Thomas\Application Data\IDM
2008-05-08 01:16 --------- d-----w C:\Program Files\PCMSCAN
2008-05-08 01:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 10:14 --------- d-----w C:\Program Files\IFS
2008-05-05 00:19 --------- d-----w C:\Program Files\VMware
2008-05-05 00:19 --------- d-----w C:\Program Files\Common Files\VMware
2008-04-29 10:27 32 ----a-w C:\WINDOWS\system32\drivers\mshcmd.sys.
2008-04-20 21:32 --------- d-----w C:\Program Files\Java
2008-04-20 20:41 --------- d-----w C:\Program Files\DIFX
2008-04-13 15:19 --------- d-----w C:\Program Files\FlashGet
2008-04-04 23:03 91,632 ----a-w C:\WINDOWS\system32\nts.dll
2008-04-04 23:03 83,440 ----a-w C:\WINDOWS\system32\pds.dll
2008-04-04 23:03 83,384 ----a-w C:\WINDOWS\system32\loc32vc0.dll
2008-04-04 23:03 46,584 ----a-w C:\WINDOWS\system32\msgsys.dll
2008-04-04 23:03 34,288 ----a-w C:\WINDOWS\system32\cba.dll
2008-04-04 22:58 357,760 ----a-w C:\WINDOWS\system32\sysfer.dll
2008-04-04 22:58 107,904 ----a-w C:\WINDOWS\system32\SymVPN.dll
2008-04-04 22:55 48,000 ----a-w C:\WINDOWS\system32\FwsVpn.dll
.

------- Sigcheck -------

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-04_18.22.54.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 22:15:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 01:44:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-04 21:48:03 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-09 01:44:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-04 21:48:03 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-09 01:44:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-04 21:48:03 114,688 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 01:44:22 114,688 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-08-09 20:46:02 49,792 ----a-w C:\WINDOWS\system32\drivers\oxser.sys
+ 2006-09-23 16:37:10 59,648 ----a-w C:\WINDOWS\system32\drivers\ZteitSerial.sys
+ 2006-12-16 12:31:20 37,888 ----a-w C:\WINDOWS\system32\drivers\ZteitSermux.sys
+ 2006-12-16 12:37:46 19,200 ----a-w C:\WINDOWS\system32\drivers\ZteitSerPrt.sys
+ 2006-08-09 20:46:02 94,208 ----a-w C:\WINDOWS\system32\oxui.dll
- 2008-05-05 00:23:15 56,642 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-04 22:20:56 56,642 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-05 00:23:16 390,062 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-04 22:20:56 390,062 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-09 01:46:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6a8.dat
+ 2008-06-09 01:46:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_ba4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-30 08:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-03-09 20:31 2586032]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54 48128]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 17:12 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TFncKy"="TFncKy.exe" []
"TFNF5"="TFNF5.exe" [2004-06-28 13:16 73728 C:\WINDOWS\system32\TFNF5.exe]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 18:07 49152]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"TOSHIBA Picture Enhancement Utility"="C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe" [2004-07-16 18:24 638976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-06-17 04:04 122939]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 06:36 86016]
"CFSServ.exe"="CFSServ.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-09 18:58 3665920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RNBOStart"="c:\windows\system32\rnbosent\sentstrt.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe [2005-03-03 12:34:24 315392]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-07-19 14:52:19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-16 20:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk
backup=C:\WINDOWS\pss\NetScreen-Remote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=C:\WINDOWS\pss\PdaNet Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^snipemon.LNK]
path=C:\Documents and Settings\Thomas\Start Menu\Programs\Startup\snipemon.LNK
backup=C:\WINDOWS\pss\snipemon.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=

R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
R2 Crypto;Crypto;C:\WINDOWS\System32\drivers\Crypto.sys [2000-07-10 17:01]
R2 DirectNT;DirectNT;C:\WINDOWS\System32\drivers\DirectNT.sys [1996-12-04 18:37]
R2 EWA net DB Core;EWA net DB Core;C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB EPC;EWA net DB EPC;C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe [2003-11-05 12:02]
R2 EWA net DB WIS;EWA net DB WIS;C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe [2003-11-05 12:02]
R2 EWA net Server;EWA net Server;C:\Program Files\EWA net\server\bin\tomcat.exe [2003-07-31 19:29]
R2 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\System32\Drivers\IPSECDRV.sys [2002-04-04 15:01]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\System32\DRIVERS\vap.sys [2002-02-27 14:59]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\System32\DRIVERS\pnetmdm.sys [2006-01-12 14:04]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\System32\DRIVERS\tosrfec.sys [2004-05-17 18:18]
R3 ttv200x;TOSHIBA PCI TV Tuner type W;C:\WINDOWS\System32\DRIVERS\ttv200x.sys [2004-07-10 04:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\System32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 oxser;OX16C95x Serial port driver;C:\WINDOWS\System32\DRIVERS\oxser.sys [2006-08-09 16:46]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]
S3 ZteitSerMux;ZteitSerMux;C:\WINDOWS\System32\DRIVERS\zteitsermux.sys [2006-12-16 08:31]
S3 zteitserprt;zteitserprt;C:\WINDOWS\System32\DRIVERS\zteitserprt.sys [2006-12-16 08:37]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 18:15:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\konfig]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\license]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mcp]
"ImagePath"="c:\opt\MBCASE\pm\bin\mcp"
.
Completion time: 2008-06-10 18:17:50
ComboFix-quarantined-files.txt 2008-06-10 22:17:32
ComboFix2.txt 2008-06-07 04:03:43
ComboFix3.txt 2008-06-05 23:09:07
ComboFix4.txt 2008-06-04 22:24:27

Pre-Run: 49,685,307,392 bytes free
Post-Run: 49,681,526,784 bytes free

225


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:45 PM, on 6/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
C:\Program Files\EWA net\server\bin\tomcat.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\iFtpSvc\iFtpSvc.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.46.16.119:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [RNBOStart] c:\windows\system32\rnbosent\sentstrt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400501926
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207400486735
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EWA net DB Core - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EWA\tbmux32.exe
O23 - Service: EWA net DB EPC - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase EPC\tbmux32.exe
O23 - Service: EWA net DB WIS - Transaction Software, D 81737 Munich - C:\Program Files\EWA net\database\TransBase WIS\tbmux32.exe
O23 - Service: EWA net Server - Alexandria Software Consulting - C:\Program Files\EWA net\server\bin\tomcat.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

--
End of file - 15739 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 AM

Posted 15 June 2008 - 11:53 AM

Hello,

My apologies for not responding sooner. :) I took a peek when you posted and when I saw everything was all right I went to a real problem log I have going. I'm sorry. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

MOST IMPORTANT!
Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. Your current versions are outdated. I cannot stress enough how important this is. I use Firefox exclusively myself, but you still need to update IE for the security benefits. :thumbsup:

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 TomJ

TomJ
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 19 June 2008 - 04:47 PM

Tea,

I just want to Thank you again. The unit is running excellent and everthing is perfect. Thank you for your excellent service and for being so fast and helping with my problem. I could have never done it without you!!

Thank you
Tom

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 AM

Posted 28 June 2008 - 10:46 AM

Hi there Tom,

I apologize for my absence the last several days. :thumbsup: I've been sick. I'm just now able to sit and concentrate on logs, hence my delayed reply to you.

I'm glad it's running well, and you're most welcome. :)

Best,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users