Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Resycled/boot.com possible rootkit


  • This topic is locked This topic is locked
11 replies to this topic

#1 momonarikun

momonarikun

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 04 January 2009 - 03:24 AM

This virus/ malware will not go away and seems to have infected all drives. It is recognized during a scan by spyware doctor but keeps appearing when i restart and also infected my removable usb hard drive. Please help me. Here is my DDS and hijack this files:

DDS (Version 1.1.0) - NTFSx86
Run by Joe at 2:16:05.10 on Sun 01/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.572 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Documents and Settings\Joe\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.toshiba.com/search
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Desktop Calendar] c:\program files\desktop calendar\Desktop Calendar.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [<NO NAME>]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Notify: igfxcui - igfxdev.dll
Notify: jkkIBQHB - jkkIBQHB.dll
AppInit_DLLs: avgrsstx.dll c:\program files\relevantknowledge\rlai.dll c:\program files\relevantknowledge\rlai.dll lmtwgx.dll ,c:\windows\system32\vuvimuwe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvwWOig
LSA: Notification Packages = scecli c:\windows\system32\vuvimuwe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\14qopspr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-3 40840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-11 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-11 26824]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-3 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-3 81288]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-6-12 33792]
R3 EchoIndigoIO;Echo Indigo io Service;c:\windows\system32\drivers\echondgo.sys [2007-1-3 140928]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 231704]
R4 KeenfinderSrch Service;KeenfinderSrch Service;c:\program files\keenfindersrch\keenfinder.exe [2008-12-15 4608]
R4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-7-21 193888]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-3 356920]

R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-3 1079176]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-13 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-16 38496]

=============== Created Last 30 ================

2009-01-04 02:10 <DIR> --d----- c:\program files\Trend Micro
2009-01-03 12:56 <DIR> --dshr-- C:\resycled
2009-01-03 12:21 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-03 12:21 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-03 12:21 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-03 12:21 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-03 12:20 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-03 12:20 <DIR> --d----- c:\docume~1\joe\applic~1\PC Tools
2009-01-03 12:20 <DIR> --d----- c:\program files\common files\Download Manager
2009-01-02 16:37 71,680 a------- c:\windows\system32\drivers\msqpdxserv.sys
2008-12-31 12:56 <DIR> --d----- c:\program files\K-Lite Codec Pack
2008-12-29 21:53 <DIR> --d----- c:\program files\VideoLAN
2008-12-29 21:29 <DIR> --d----- c:\program files\The KMPlayer
2008-12-29 18:42 <DIR> --d----- C:\Games
2008-12-29 18:42 298,496 a------- c:\windows\uninst.exe
2008-12-29 17:46 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-29 06:14 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-12-26 01:30 <DIR> --d----- c:\program files\Bonjour
2008-12-23 23:32 <DIR> --d----- c:\program files\Maxtor
2008-12-23 23:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Maxtor
2008-12-23 23:31 <DIR> --d----- c:\windows\Downloaded Installations
2008-12-23 23:31 <DIR> --dsh--- c:\windows\ftpcache
2008-12-22 15:24 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-22 15:24 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 15:23 <DIR> --d----- c:\program files\iPod
2008-12-22 15:23 <DIR> --d----- c:\program files\iTunes
2008-12-22 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 04:01 <DIR> --d----- c:\docume~1\joe\applic~1\Sierra
2008-12-22 03:35 <DIR> --d----- c:\program files\Sierra
2008-12-22 03:08 291,600 a------- c:\windows\system\WININET.DLL
2008-12-22 03:08 <DIR> --d----- C:\SIERRA
2008-12-16 00:10 <DIR> --d----- c:\docume~1\joe\applic~1\Malwarebytes
2008-12-16 00:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-16 00:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 00:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 00:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-15 22:01 <DIR> --d----- c:\program files\Lavasoft
2008-12-15 18:44 11 a----r-- c:\windows\amunres.lsl
2008-12-15 16:23 <DIR> --d----- c:\docume~1\joe\applic~1\Twain
2008-12-15 16:14 1,647,997 ---sh--- c:\windows\system32\lrvfoybq.ini
2008-12-15 14:31 <DIR> --d----- c:\program files\KeenfinderSrch
2008-12-14 16:12 1,647,997 ---sh--- c:\windows\system32\acmjhlfn.ini
2008-12-14 16:11 887,581 a--sh--- c:\windows\system32\giOWwvut.ini2
2008-12-14 16:11 887,581 a--sh--- c:\windows\system32\giOWwvut.ini
2008-12-12 17:50 <DIR> --d----- c:\docume~1\joe\applic~1\MySpace
2008-12-12 17:50 <DIR> --d----- c:\program files\MySpace
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-07 01:39 <DIR> --d----- c:\program files\FileSubmit
2008-12-07 01:38 <DIR> --d----- c:\program files\Keenfinder
2008-12-06 04:48 2,321,792 a------- c:\windows\system32\TUKernel.exe
2008-12-06 04:34 96,247 a------- C:\Starcluster_-_Space.jpg
2008-12-06 03:50 <DIR> --d----- c:\docume~1\joe\applic~1\TuneUp Software
2008-12-06 03:50 29,704 a------- c:\windows\system32\uxtuneup.dll
2008-12-06 03:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2008-12-06 03:49 <DIR> --d----- c:\program files\TuneUp Utilities 2007
2008-12-06 03:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 13:01 <DIR> --d----- c:\program files\Brain Workshop

==================== Find3M ====================

2008-12-09 02:04 137 a---h--- c:\docume~1\joe\applic~1\lakerda1967.sys
2008-11-21 15:47 524,288 a------- c:\windows\system32\nso4A1.tmp
2008-11-21 15:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\nsx4A0.tmp
2008-11-21 15:46 1,044,480 ac------ c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 ac------ c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 ac------ c:\windows\system32\DivXWMPExtType.dll
2008-11-13 21:22 360,580 a------- c:\windows\eSellerateEngine.dll
2008-08-05 20:04 256 ac------ c:\documents and settings\joe\pool.bin

============= FINISH: 2:17:11.09 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:02 AM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [duzobihotu] Rundll32.exe "C:\WINDOWS\system32\davafuhu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [duzobihotu] Rundll32.exe "C:\WINDOWS\system32\davafuhu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: avgrsstx.dll C:\program files\relevantknowledge\rlai.dll C:\program files\relevantknowledge\rlai.dll lmtwgx.dll ,C:\WINDOWS\system32\vuvimuwe.dll
O20 - Winlogon Notify: jkkIBQHB - jkkIBQHB.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KeenfinderSrch Service - Unknown owner - C:\Program Files\KeenfinderSrch\keenfinder.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9085 bytes

Attached Files

  • Attached File  DDS.txt   12.89KB   22 downloads


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 January 2009 - 02:51 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 momonarikun

momonarikun
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 05 January 2009 - 03:42 AM

Hello!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:40 AM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-19\..\Run: [duzobihotu] Rundll32.exe "C:\WINDOWS\system32\davafuhu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [duzobihotu] Rundll32.exe "C:\WINDOWS\system32\davafuhu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: avgrsstx.dll C:\program files\relevantknowledge\rlai.dll C:\program files\relevantknowledge\rlai.dll lmtwgx.dll ,C:\WINDOWS\system32\vuvimuwe.dll
O20 - Winlogon Notify: jkkIBQHB - jkkIBQHB.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KeenfinderSrch Service - Unknown owner - C:\Program Files\KeenfinderSrch\keenfinder.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8625 bytes

ComboFix 09-01-04.01 - Joe 2009-01-05 2:29:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.1029 [GMT -6:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Joe\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\acmjhlfn.ini
c:\windows\system32\giOWwvut.ini
c:\windows\system32\giOWwvut.ini2
c:\windows\system32\lrvfoybq.ini
c:\windows\Tasks\ghxsocnp.job
E:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://madtorrents.info
.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 03:20 . 2009-01-04 13:44 <DIR> d-------- C:\HD
2009-01-04 02:10 . 2009-01-04 02:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-03 12:21 . 2009-01-03 12:32 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-03 12:21 . 2009-01-03 12:33 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-03 12:21 . 2009-01-03 12:32 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-03 12:21 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-03 12:20 . 2009-01-05 01:34 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\documents and settings\Joe\Application Data\PC Tools
2009-01-02 22:40 . 2005-12-29 13:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-01-02 22:40 . 2008-06-11 04:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-01-02 22:40 . 2009-01-03 05:00 <DIR> d---s---- c:\documents and settings\Administrator
2008-12-31 12:56 . 2008-12-31 12:56 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-29 21:54 . 2008-12-29 22:19 <DIR> d-------- c:\documents and settings\Joe\Application Data\vlc
2008-12-29 21:53 . 2008-12-29 21:53 <DIR> d-------- c:\program files\VideoLAN
2008-12-29 21:29 . 2008-12-29 21:32 <DIR> d-------- c:\program files\The KMPlayer
2008-12-29 18:42 . 2008-12-29 18:42 <DIR> d-------- C:\Games
2008-12-29 18:42 . 1996-10-15 18:01 298,496 --a------ c:\windows\uninst.exe
2008-12-29 17:46 . 2008-12-29 17:45 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-29 06:14 . 2008-12-29 06:14 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-29 06:12 . 2008-12-29 06:13 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-26 01:30 . 2008-12-26 01:30 <DIR> d-------- c:\program files\Bonjour
2008-12-23 23:32 . 2008-12-24 00:43 <DIR> d-------- c:\program files\Maxtor
2008-12-23 23:32 . 2008-12-24 00:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Maxtor
2008-12-23 23:31 . 2008-12-23 23:31 <DIR> d--hs---- c:\windows\ftpcache
2008-12-23 23:31 . 2008-12-24 00:39 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-22 15:24 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-22 15:24 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 15:23 . 2008-12-22 15:24 <DIR> d-------- c:\program files\iTunes
2008-12-22 15:23 . 2008-12-22 15:23 <DIR> d-------- c:\program files\iPod
2008-12-22 15:23 . 2008-12-22 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 04:01 . 2008-12-22 04:01 <DIR> d-------- c:\documents and settings\Joe\Application Data\Sierra
2008-12-22 03:35 . 2008-12-22 03:35 <DIR> d-------- c:\program files\Sierra
2008-12-22 03:08 . 2008-12-22 03:08 <DIR> d-------- C:\SIERRA
2008-12-22 03:08 . 1996-10-15 10:40 291,600 --a------ c:\windows\system\WININET.DLL
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\documents and settings\Joe\Application Data\Malwarebytes
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 00:10 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 00:10 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-15 22:01 . 2008-12-15 22:01 <DIR> d-------- c:\program files\Lavasoft
2008-12-15 22:01 . 2009-01-04 04:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-15 18:44 . 2008-12-15 18:44 11 -ra------ c:\windows\amunres.lsl
2008-12-15 17:26 . 2009-01-05 02:12 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 16:23 . 2008-12-15 21:53 <DIR> d-------- c:\documents and settings\Joe\Application Data\Twain
2008-12-15 14:31 . 2008-12-15 14:31 <DIR> d-------- c:\program files\KeenfinderSrch
2008-12-14 17:01 . 2008-12-14 17:01 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\aAvgApi
2008-12-12 17:50 . 2008-12-12 17:50 <DIR> d-------- c:\program files\MySpace
2008-12-12 17:50 . 2008-12-12 17:50 <DIR> d-------- c:\documents and settings\Joe\Application Data\MySpace
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-07 01:39 . 2008-12-07 01:39 <DIR> d-------- c:\program files\FileSubmit
2008-12-07 01:38 . 2008-12-15 14:31 <DIR> d-------- c:\program files\Keenfinder
2008-12-06 04:48 . 2008-12-06 04:48 2,321,792 --a------ c:\windows\system32\TUKernel.exe
2008-12-06 04:34 . 2008-12-06 04:34 96,247 --a------ C:\Starcluster_-_Space.jpg
2008-12-06 03:50 . 2008-12-06 03:50 <DIR> d-------- c:\documents and settings\Joe\Application Data\TuneUp Software
2008-12-06 03:50 . 2008-12-06 03:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-06 03:50 . 2007-05-16 09:41 29,704 --a------ c:\windows\system32\uxtuneup.dll
2008-12-06 03:49 . 2008-12-31 12:50 <DIR> d-------- c:\program files\TuneUp Utilities 2007
2008-12-06 03:49 . 2009-01-04 04:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-05 13:01 . 2008-12-05 13:01 <DIR> d-------- c:\program files\Brain Workshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 08:12 --------- d-----w c:\documents and settings\Joe\Application Data\uTorrent
2009-01-03 19:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-03 19:18 --------- d-----w c:\program files\Microsoft Works
2009-01-03 19:13 --------- d-----w c:\program files\Microsoft Expression
2009-01-02 09:31 --------- d-----w c:\documents and settings\Joe\Application Data\OpenOffice.org2
2008-12-31 18:44 --------- d-----w c:\program files\DirectVobSub
2008-12-30 02:34 --------- d-----w c:\program files\DivX
2008-12-29 23:45 --------- d-----w c:\program files\Java
2008-12-29 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-12-24 06:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 21:23 --------- d-----w c:\program files\Common Files\Apple
2008-12-22 08:44 --------- d-----w c:\program files\VDMSound
2008-12-22 07:25 --------- d-----w c:\program files\Soulseek
2008-12-18 06:15 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-12-16 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-09 08:04 137 ---ha-w c:\documents and settings\Joe\Application Data\lakerda1967.sys
2008-12-09 08:04 --------- d-----w c:\program files\docXConverter3
2008-12-06 10:02 --------- d-----w c:\program files\DreamStation DXi
2008-12-03 00:10 --------- d-----w c:\program files\WinZip Self-Extractor
2008-12-03 00:10 --------- d-----w c:\documents and settings\All Users\Application Data\WinZipSE
2008-12-02 07:52 --------- d-----w c:\documents and settings\Joe\Application Data\Apple Computer
2008-11-29 23:59 --------- d-----w c:\program files\QuickTime
2008-11-29 23:57 --------- d-----w c:\program files\Apple Software Update
2008-11-28 08:53 --------- d-----w c:\documents and settings\Joe\Application Data\Red Kawa
2008-11-28 08:27 --------- d-----w c:\program files\Red Kawa
2008-11-28 08:27 --------- d-----w c:\program files\AviSynth 2.5
2008-11-14 03:22 360,580 ----a-w c:\windows\eSellerateEngine.dll
2008-11-14 03:22 --------- d-----w c:\program files\Common Files\eSellerate
2008-11-07 00:14 --------- d-----w c:\program files\Gabest
2008-11-06 20:07 --------- d-----w c:\documents and settings\Joe\Application Data\DivX
2008-11-05 23:44 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-05 23:44 --------- d-----w c:\documents and settings\Joe\Application Data\SystemRequirementsLab
2008-08-06 02:04 256 -c--a-w c:\documents and settings\Joe\pool.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2003-10-31 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-15 1261336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 c:\windows\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-12-27 c:\windows\system32\TDispVol.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.audxacm"= audxacm.acm
"msacm.ac3acm4audx"= AC3ACM4AUDX.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Joe\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Joe\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-06-06 10:04 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2004-03-24 00:40 196608 c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-15 18:45 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
--a--c--- 2005-12-01 13:13 671744 c:\program files\Toshiba\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a--c--- 2004-05-01 15:45 28672 c:\program files\Toshiba\TOSHIBA Applet\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-11-28 12:41 602182 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2005-12-05 13:37 667718 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a--c--- 2004-08-18 05:37 184320 c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a--c--- 2005-07-15 12:52 1077322 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a--c--- 2005-03-17 19:37 151552 c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2008-03-06 15:19 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a--c--- 2005-04-26 18:13 122880 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
--a--c--- 2004-05-01 15:45 65536 c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a--c--- 2004-12-30 02:32 65536 c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
--a--c--- 2005-12-13 18:28 53248 c:\program files\Toshiba\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a--c--- 2005-11-30 14:25 73728 c:\program files\Toshiba\Tvs\TvsTray.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"MySpaceIM"=c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"AGRSMMSG"=AGRSMMSG.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"CPM97c831dc"=Rundll32.exe "c:\windows\system32\nimusofa.dll",a
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\JFDuke3D\\duke3d.exe"=
"c:\\Program Files\\JFDuke3D\\1.5\\DukesterX.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-11 97928]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-06-12 33792]
R3 EchoIndigoIO;Echo Indigo io Service;c:\windows\system32\drivers\echondgo.sys [2007-01-03 140928]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]
R4 KeenfinderSrch Service;KeenfinderSrch Service;c:\program files\KeenfinderSrch\keenfinder.exe [2008-12-15 4608]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-06-13 24652]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-03 356920]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f25e308-507d-11dd-9f63-001302730db0}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{558108f0-7866-11dd-9f89-001302730db0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-jkkIBQHB - jkkIBQHB.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\14qopspr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 02:34:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-05 2:37:51 - machine was rebooted [Joe]
ComboFix-quarantined-files.txt 2009-01-05 08:37:49

Pre-Run: 24,048,762,880 bytes free
Post-Run: 23,989,313,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=WMAFPZ /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=WMAFPZ-BAK

319 --- E O F --- 2008-09-29 05:38:02

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 January 2009 - 03:49 AM

Uninstall Viewpoint from your computer....


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O4 - HKUS\S-1-5-19\..\Run: [duzobihotu] Rundll32.exe "C:\WINDOWS\system32\davafuhu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [duzobihotu] Rundll32.exe "C:\WINDOWS\system32\davafuhu.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: avgrsstx.dll C:\program files\relevantknowledge\rlai.dll C:\program files\relevantknowledge\rlai.dll lmtwgx.dll ,C:\WINDOWS\system32\vuvimuwe.dll
O20 - Winlogon Notify: jkkIBQHB - jkkIBQHB.dll (file missing)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis



I see you have Malwarebytes' on your computer.. Update it and run a "Perform Full Scan".. Then remove everything that it found and post the log here..


Then reboot your computer and run ComboFix and HijackThis again.. Post these logs in your next reply..

1. Malwarebytes'
2. ComboFix
3. A fresh HijackThis log..

Edited by fenzodahl512, 05 January 2009 - 03:50 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 momonarikun

momonarikun
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 05 January 2009 - 06:11 AM

Hello again and thank you for the quick reply, those registry entries were not there when i went to delete them from the hijack this scan. I did however uninstall viewpoint. Here are the three logs:

Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 5.1.2600 Service Pack 2

1/5/2009 5:00:48 AM
mbam-log-2009-01-05 (05-00-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 169040
Time elapsed: 1 hour(s), 44 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:52 AM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\KeenfinderSrch\keenfinder.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KeenfinderSrch Service - Unknown owner - C:\Program Files\KeenfinderSrch\keenfinder.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 8087 bytes

ComboFix 09-01-04.01 - Joe 2009-01-05 5:04:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.823 [GMT -6:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 03:20 . 2009-01-04 13:44 <DIR> d-------- C:\HD
2009-01-04 02:10 . 2009-01-04 02:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-03 12:21 . 2009-01-03 12:32 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-03 12:21 . 2009-01-03 12:33 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-03 12:21 . 2009-01-03 12:32 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-03 12:21 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-03 12:20 . 2009-01-05 01:34 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\documents and settings\Joe\Application Data\PC Tools
2009-01-02 22:40 . 2005-12-29 13:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-01-02 22:40 . 2008-06-11 04:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-01-02 22:40 . 2009-01-03 05:00 <DIR> d---s---- c:\documents and settings\Administrator
2008-12-31 12:56 . 2008-12-31 12:56 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-29 21:54 . 2008-12-29 22:19 <DIR> d-------- c:\documents and settings\Joe\Application Data\vlc
2008-12-29 21:53 . 2008-12-29 21:53 <DIR> d-------- c:\program files\VideoLAN
2008-12-29 21:29 . 2008-12-29 21:32 <DIR> d-------- c:\program files\The KMPlayer
2008-12-29 18:42 . 2008-12-29 18:42 <DIR> d-------- C:\Games
2008-12-29 18:42 . 1996-10-15 18:01 298,496 --a------ c:\windows\uninst.exe
2008-12-29 17:46 . 2008-12-29 17:45 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-29 06:14 . 2008-12-29 06:14 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-29 06:12 . 2008-12-29 06:13 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-26 01:30 . 2008-12-26 01:30 <DIR> d-------- c:\program files\Bonjour
2008-12-23 23:32 . 2008-12-24 00:43 <DIR> d-------- c:\program files\Maxtor
2008-12-23 23:32 . 2008-12-24 00:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Maxtor
2008-12-23 23:31 . 2008-12-23 23:31 <DIR> d--hs---- c:\windows\ftpcache
2008-12-23 23:31 . 2008-12-24 00:39 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-22 15:24 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-22 15:24 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 15:23 . 2008-12-22 15:24 <DIR> d-------- c:\program files\iTunes
2008-12-22 15:23 . 2008-12-22 15:23 <DIR> d-------- c:\program files\iPod
2008-12-22 15:23 . 2008-12-22 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 04:01 . 2008-12-22 04:01 <DIR> d-------- c:\documents and settings\Joe\Application Data\Sierra
2008-12-22 03:35 . 2008-12-22 03:35 <DIR> d-------- c:\program files\Sierra
2008-12-22 03:08 . 2008-12-22 03:08 <DIR> d-------- C:\SIERRA
2008-12-22 03:08 . 1996-10-15 10:40 291,600 --a------ c:\windows\system\WININET.DLL
2008-12-16 00:10 . 2009-01-05 03:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\documents and settings\Joe\Application Data\Malwarebytes
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 00:10 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 00:10 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-15 22:01 . 2008-12-15 22:01 <DIR> d-------- c:\program files\Lavasoft
2008-12-15 22:01 . 2009-01-04 04:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-15 18:44 . 2008-12-15 18:44 11 -ra------ c:\windows\amunres.lsl
2008-12-15 17:26 . 2009-01-05 02:12 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 16:23 . 2008-12-15 21:53 <DIR> d-------- c:\documents and settings\Joe\Application Data\Twain
2008-12-15 14:31 . 2008-12-15 14:31 <DIR> d-------- c:\program files\KeenfinderSrch
2008-12-14 17:01 . 2008-12-14 17:01 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\aAvgApi
2008-12-12 17:50 . 2008-12-12 17:50 <DIR> d-------- c:\program files\MySpace
2008-12-12 17:50 . 2008-12-12 17:50 <DIR> d-------- c:\documents and settings\Joe\Application Data\MySpace
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-07 01:39 . 2008-12-07 01:39 <DIR> d-------- c:\program files\FileSubmit
2008-12-07 01:38 . 2008-12-15 14:31 <DIR> d-------- c:\program files\Keenfinder
2008-12-06 04:48 . 2008-12-06 04:48 2,321,792 --a------ c:\windows\system32\TUKernel.exe
2008-12-06 04:34 . 2008-12-06 04:34 96,247 --a------ C:\Starcluster_-_Space.jpg
2008-12-06 03:50 . 2008-12-06 03:50 <DIR> d-------- c:\documents and settings\Joe\Application Data\TuneUp Software
2008-12-06 03:50 . 2008-12-06 03:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-06 03:50 . 2007-05-16 09:41 29,704 --a------ c:\windows\system32\uxtuneup.dll
2008-12-06 03:49 . 2008-12-31 12:50 <DIR> d-------- c:\program files\TuneUp Utilities 2007
2008-12-06 03:49 . 2009-01-04 04:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-05 13:01 . 2008-12-05 13:01 <DIR> d-------- c:\program files\Brain Workshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 09:02 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-05 08:12 --------- d-----w c:\documents and settings\Joe\Application Data\uTorrent
2009-01-03 19:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-03 19:18 --------- d-----w c:\program files\Microsoft Works
2009-01-03 19:13 --------- d-----w c:\program files\Microsoft Expression
2009-01-02 09:31 --------- d-----w c:\documents and settings\Joe\Application Data\OpenOffice.org2
2008-12-31 18:44 --------- d-----w c:\program files\DirectVobSub
2008-12-30 02:34 --------- d-----w c:\program files\DivX
2008-12-29 23:45 --------- d-----w c:\program files\Java
2008-12-29 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-12-24 06:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 21:23 --------- d-----w c:\program files\Common Files\Apple
2008-12-22 08:44 --------- d-----w c:\program files\VDMSound
2008-12-22 07:25 --------- d-----w c:\program files\Soulseek
2008-12-18 06:15 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-12-16 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-09 08:04 137 ---ha-w c:\documents and settings\Joe\Application Data\lakerda1967.sys
2008-12-09 08:04 --------- d-----w c:\program files\docXConverter3
2008-12-06 10:02 --------- d-----w c:\program files\DreamStation DXi
2008-12-03 00:10 --------- d-----w c:\program files\WinZip Self-Extractor
2008-12-03 00:10 --------- d-----w c:\documents and settings\All Users\Application Data\WinZipSE
2008-12-02 07:52 --------- d-----w c:\documents and settings\Joe\Application Data\Apple Computer
2008-11-29 23:59 --------- d-----w c:\program files\QuickTime
2008-11-29 23:57 --------- d-----w c:\program files\Apple Software Update
2008-11-28 08:53 --------- d-----w c:\documents and settings\Joe\Application Data\Red Kawa
2008-11-28 08:27 --------- d-----w c:\program files\Red Kawa
2008-11-28 08:27 --------- d-----w c:\program files\AviSynth 2.5
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\nso4A1.tmp
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\nsx4A0.tmp
2008-11-21 21:46 200,704 -c--a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 -c--a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 -c--a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-14 03:22 360,580 ----a-w c:\windows\eSellerateEngine.dll
2008-11-14 03:22 --------- d-----w c:\program files\Common Files\eSellerate
2008-11-07 00:14 --------- d-----w c:\program files\Gabest
2008-11-06 20:07 --------- d-----w c:\documents and settings\Joe\Application Data\DivX
2008-11-05 23:44 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-05 23:44 --------- d-----w c:\documents and settings\Joe\Application Data\SystemRequirementsLab
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-08-06 02:04 256 -c--a-w c:\documents and settings\Joe\pool.bin
.

((((((((((((((((((((((((((((( snapshot@2009-01-05_ 2.37.16.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-05 09:10:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2003-10-31 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-15 1261336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 c:\windows\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-12-27 c:\windows\system32\TDispVol.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.audxacm"= audxacm.acm
"msacm.ac3acm4audx"= AC3ACM4AUDX.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Joe\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Joe\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-06-06 10:04 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2004-03-24 00:40 196608 c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-15 18:45 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
--a--c--- 2005-12-01 13:13 671744 c:\program files\Toshiba\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a--c--- 2004-05-01 15:45 28672 c:\program files\Toshiba\TOSHIBA Applet\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-11-28 12:41 602182 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2005-12-05 13:37 667718 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a--c--- 2004-08-18 05:37 184320 c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a--c--- 2005-07-15 12:52 1077322 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a--c--- 2005-03-17 19:37 151552 c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2008-03-06 15:19 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a--c--- 2005-04-26 18:13 122880 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
--a--c--- 2004-05-01 15:45 65536 c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a--c--- 2004-12-30 02:32 65536 c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
--a--c--- 2005-12-13 18:28 53248 c:\program files\Toshiba\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a--c--- 2005-11-30 14:25 73728 c:\program files\Toshiba\Tvs\TvsTray.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"MySpaceIM"=c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"AGRSMMSG"=AGRSMMSG.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"CPM97c831dc"=Rundll32.exe "c:\windows\system32\nimusofa.dll",a
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\JFDuke3D\\duke3d.exe"=
"c:\\Program Files\\JFDuke3D\\1.5\\DukesterX.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-11 97928]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-06-12 33792]
R3 EchoIndigoIO;Echo Indigo io Service;c:\windows\system32\drivers\echondgo.sys [2007-01-03 140928]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]
R4 KeenfinderSrch Service;KeenfinderSrch Service;c:\program files\KeenfinderSrch\keenfinder.exe [2008-12-15 4608]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-03 356920]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f25e308-507d-11dd-9f63-001302730db0}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{558108f0-7866-11dd-9f89-001302730db0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\14qopspr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 05:06:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-05 5:07:59
ComboFix-quarantined-files.txt 2009-01-05 11:07:22
ComboFix2.txt 2009-01-05 08:37:53

Pre-Run: 23,970,369,536 bytes free
Post-Run: 23,962,234,880 bytes free

298 --- E O F --- 2008-09-29 05:38:02

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 January 2009 - 06:35 AM

A little bit more...


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
KeenfinderSrch Service

File::
c:\windows\system32\nimusofa.dll

Folder::
c:\program files\KeenfinderSrch

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CPM97c831dc"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 momonarikun

momonarikun
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 05 January 2009 - 07:27 AM

Here they are: :thumbsup:


ComboFix 09-01-04.01 - Joe 2009-01-05 6:15:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.973 [GMT -6:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\system32\nimusofa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\KeenfinderSrch
c:\program files\KeenfinderSrch\KeenfinderSrch_deleted_\keenfinder.dll
c:\program files\KeenfinderSrch\KeenfinderSrch_deleted_\keenfinder.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 03:20 . 2009-01-04 13:44 <DIR> d-------- C:\HD
2009-01-04 02:10 . 2009-01-04 02:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-03 12:21 . 2009-01-03 12:32 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-03 12:21 . 2009-01-03 12:33 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-03 12:21 . 2009-01-03 12:32 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-03 12:21 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-03 12:20 . 2009-01-05 01:34 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\documents and settings\Joe\Application Data\PC Tools
2009-01-02 22:40 . 2005-12-29 13:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-01-02 22:40 . 2008-06-11 04:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2009-01-02 22:40 . 2009-01-03 05:00 <DIR> d---s---- c:\documents and settings\Administrator
2008-12-31 12:56 . 2008-12-31 12:56 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-29 21:54 . 2008-12-29 22:19 <DIR> d-------- c:\documents and settings\Joe\Application Data\vlc
2008-12-29 21:53 . 2008-12-29 21:53 <DIR> d-------- c:\program files\VideoLAN
2008-12-29 21:29 . 2008-12-29 21:32 <DIR> d-------- c:\program files\The KMPlayer
2008-12-29 18:42 . 2008-12-29 18:42 <DIR> d-------- C:\Games
2008-12-29 18:42 . 1996-10-15 18:01 298,496 --a------ c:\windows\uninst.exe
2008-12-29 17:46 . 2008-12-29 17:45 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-29 06:14 . 2008-12-29 06:14 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-29 06:12 . 2008-12-29 06:13 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-26 01:30 . 2008-12-26 01:30 <DIR> d-------- c:\program files\Bonjour
2008-12-23 23:32 . 2008-12-24 00:43 <DIR> d-------- c:\program files\Maxtor
2008-12-23 23:32 . 2008-12-24 00:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Maxtor
2008-12-23 23:31 . 2008-12-23 23:31 <DIR> d--hs---- c:\windows\ftpcache
2008-12-23 23:31 . 2008-12-24 00:39 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-22 15:24 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-22 15:24 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 15:23 . 2008-12-22 15:24 <DIR> d-------- c:\program files\iTunes
2008-12-22 15:23 . 2008-12-22 15:23 <DIR> d-------- c:\program files\iPod
2008-12-22 15:23 . 2008-12-22 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 04:01 . 2008-12-22 04:01 <DIR> d-------- c:\documents and settings\Joe\Application Data\Sierra
2008-12-22 03:35 . 2008-12-22 03:35 <DIR> d-------- c:\program files\Sierra
2008-12-22 03:08 . 2008-12-22 03:08 <DIR> d-------- C:\SIERRA
2008-12-22 03:08 . 1996-10-15 10:40 291,600 --a------ c:\windows\system\WININET.DLL
2008-12-16 00:10 . 2009-01-05 03:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\documents and settings\Joe\Application Data\Malwarebytes
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 00:10 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 00:10 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-15 22:01 . 2008-12-15 22:01 <DIR> d-------- c:\program files\Lavasoft
2008-12-15 22:01 . 2009-01-04 04:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-15 18:44 . 2008-12-15 18:44 11 -ra------ c:\windows\amunres.lsl
2008-12-15 17:26 . 2009-01-05 06:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 16:23 . 2008-12-15 21:53 <DIR> d-------- c:\documents and settings\Joe\Application Data\Twain
2008-12-14 17:01 . 2008-12-14 17:01 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\aAvgApi
2008-12-12 17:50 . 2008-12-12 17:50 <DIR> d-------- c:\program files\MySpace
2008-12-12 17:50 . 2008-12-12 17:50 <DIR> d-------- c:\documents and settings\Joe\Application Data\MySpace
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-07 01:39 . 2008-12-07 01:39 <DIR> d-------- c:\program files\FileSubmit
2008-12-06 04:48 . 2008-12-06 04:48 2,321,792 --a------ c:\windows\system32\TUKernel.exe
2008-12-06 04:34 . 2008-12-06 04:34 96,247 --a------ C:\Starcluster_-_Space.jpg
2008-12-06 03:50 . 2008-12-06 03:50 <DIR> d-------- c:\documents and settings\Joe\Application Data\TuneUp Software
2008-12-06 03:50 . 2008-12-06 03:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-06 03:50 . 2007-05-16 09:41 29,704 --a------ c:\windows\system32\uxtuneup.dll
2008-12-06 03:49 . 2008-12-31 12:50 <DIR> d-------- c:\program files\TuneUp Utilities 2007
2008-12-06 03:49 . 2009-01-04 04:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-05 13:01 . 2008-12-05 13:01 <DIR> d-------- c:\program files\Brain Workshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 09:02 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-05 08:12 --------- d-----w c:\documents and settings\Joe\Application Data\uTorrent
2009-01-03 19:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-03 19:18 --------- d-----w c:\program files\Microsoft Works
2009-01-03 19:13 --------- d-----w c:\program files\Microsoft Expression
2009-01-02 09:31 --------- d-----w c:\documents and settings\Joe\Application Data\OpenOffice.org2
2008-12-31 18:44 --------- d-----w c:\program files\DirectVobSub
2008-12-30 02:34 --------- d-----w c:\program files\DivX
2008-12-29 23:45 --------- d-----w c:\program files\Java
2008-12-29 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-12-24 06:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 21:23 --------- d-----w c:\program files\Common Files\Apple
2008-12-22 08:44 --------- d-----w c:\program files\VDMSound
2008-12-22 07:25 --------- d-----w c:\program files\Soulseek
2008-12-18 06:15 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-12-16 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-09 08:04 137 ---ha-w c:\documents and settings\Joe\Application Data\lakerda1967.sys
2008-12-09 08:04 --------- d-----w c:\program files\docXConverter3
2008-12-06 10:02 --------- d-----w c:\program files\DreamStation DXi
2008-12-03 00:10 --------- d-----w c:\program files\WinZip Self-Extractor
2008-12-03 00:10 --------- d-----w c:\documents and settings\All Users\Application Data\WinZipSE
2008-12-02 07:52 --------- d-----w c:\documents and settings\Joe\Application Data\Apple Computer
2008-11-29 23:59 --------- d-----w c:\program files\QuickTime
2008-11-29 23:57 --------- d-----w c:\program files\Apple Software Update
2008-11-28 08:27 --------- d-----w c:\program files\Red Kawa
2008-11-28 08:27 --------- d-----w c:\program files\AviSynth 2.5
2008-11-14 03:22 360,580 ----a-w c:\windows\eSellerateEngine.dll
2008-11-14 03:22 --------- d-----w c:\program files\Common Files\eSellerate
2008-11-07 00:14 --------- d-----w c:\program files\Gabest
2008-11-06 20:07 --------- d-----w c:\documents and settings\Joe\Application Data\DivX
2008-11-05 23:44 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-05 23:44 --------- d-----w c:\documents and settings\Joe\Application Data\SystemRequirementsLab
2008-08-06 02:04 256 -c--a-w c:\documents and settings\Joe\pool.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2003-10-31 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-15 1261336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 c:\windows\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-12-27 c:\windows\system32\TDispVol.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.audxacm"= audxacm.acm
"msacm.ac3acm4audx"= AC3ACM4AUDX.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Joe\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Joe\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-06-06 10:04 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2004-03-24 00:40 196608 c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-15 18:45 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
--a--c--- 2005-12-01 13:13 671744 c:\program files\Toshiba\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a--c--- 2004-05-01 15:45 28672 c:\program files\Toshiba\TOSHIBA Applet\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-11-28 12:41 602182 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2005-12-05 13:37 667718 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a--c--- 2004-08-18 05:37 184320 c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a--c--- 2005-07-15 12:52 1077322 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a--c--- 2005-03-17 19:37 151552 c:\toshiba\IVP\ISM\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2008-03-06 15:19 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a--c--- 2005-04-26 18:13 122880 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
--a--c--- 2004-05-01 15:45 65536 c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a--c--- 2004-12-30 02:32 65536 c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
--a--c--- 2005-12-13 18:28 53248 c:\program files\Toshiba\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a--c--- 2005-11-30 14:25 73728 c:\program files\Toshiba\Tvs\TvsTray.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"MySpaceIM"=c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"AGRSMMSG"=AGRSMMSG.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\JFDuke3D\\duke3d.exe"=
"c:\\Program Files\\JFDuke3D\\1.5\\DukesterX.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-11 97928]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-06-12 33792]
R3 EchoIndigoIO;Echo Indigo io Service;c:\windows\system32\drivers\echondgo.sys [2007-01-03 140928]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-03 356920]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f25e308-507d-11dd-9f63-001302730db0}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{558108f0-7866-11dd-9f89-001302730db0}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\14qopspr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 06:21:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-05 6:24:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 12:24:35
ComboFix2.txt 2009-01-05 11:08:01
ComboFix3.txt 2009-01-05 08:37:53

Pre-Run: 24,013,963,264 bytes free
Post-Run: 24,004,698,112 bytes free

300 --- E O F --- 2008-09-29 05:38:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:41 AM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 7861 bytes

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 January 2009 - 08:23 AM

Looks very nice.. How is the computer now?.. Lets do an online scan to make sure we don't miss anything....


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 momonarikun

momonarikun
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 07 January 2009 - 04:26 AM

It is running much better! here is the log from the scan. Thank you so much! :thumbsup:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3741 (20090105)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=7dcf5d79b8767d47a419c3ac2ff7f8b9
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-07 08:18:37
# local_time=2009-01-07 02:18:37 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=656810
# found=0
# scan_time=5611

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 07 January 2009 - 04:49 AM

Great! Now you are good to go.. Lets do some cleanup first..


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 momonarikun

momonarikun
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 08 January 2009 - 01:18 PM

Computer is working great, no pop ups, or problems!
many thanks to you for helping me out :thumbsup: :)

all the best

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 09 January 2009 - 07:54 AM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users