[Resolved] Kavo.exe, Online.Games.Trojan and Hidden Folders

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] Kavo.exe, Online.Games.Trojan and Hidden Folders

Options

Chillo View Member Profile	Apr 20 2008, 03:09 PM Post #1
New Member Group: Authentic Member Posts: 15 Joined: 20-April 08 Member No.: 78,540 Operating System: XP	Hey there, I'm here because I need some help with a few things. 1st is the Kavo.exe that keeps popping up when my computer starts up. I have downloaded AVG Anti-Spyware and XoftSpy SE and nothing still happens (I could delete and quarantine them, but it still pops up). The trojan named (OnlineGames) also appears when i scan and i just delete'm but when i scan again..its still there =( 2nd is Hidden folders...I can't view my hidden folders anymore...i tried going to folder options and ticking the Show all hidden files/folders..but it wouldn't so i check back to the folder options and it goes back to the "Hide hidden folders"... I tried doing some regedit from other forums but it wouldn't work.. I hope you guys could help me Thanks in advance

LDTate View Member Profile	Apr 20 2008, 03:14 PM Post #2
Forum God Group: Root Admin Posts: 39,364 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	http://forums.whatthetech.com/How_To_Remov...451#entry455451

Chillo View Member Profile	Apr 20 2008, 03:33 PM Post #3
New Member Group: Authentic Member Posts: 15 Joined: 20-April 08 Member No.: 78,540 Operating System: XP	Thanks for the quick reply... the Malwarebyte's antimalware scan is still scanning..so i got a HiJackThis log for now..here it is: Logfile of HijackThis v1.99.1 Scan saved at 2:32:33 PM, on 4/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\ZoomingHook.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TCtrlIOHook.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\XoftSpySE\xoftspy.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\valve\steam\steam.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Orbitdownloader\orbitnet.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\BitLord\BitLord.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\USER\Desktop\ATF-Cleaner.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.ca R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.ca R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.ca R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.101 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Thanks again

LDTate View Member Profile	Apr 20 2008, 03:36 PM Post #4
Forum God Group: Root Admin Posts: 39,364 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	OK. We'll see what's found by the scan. Just follow the post I made

Chillo View Member Profile	Apr 20 2008, 03:48 PM Post #5
New Member Group: Authentic Member Posts: 15 Joined: 20-April 08 Member No.: 78,540 Operating System: XP	Hey there! Thanks for the reply again..It says i couldn't delete the items yet..here's the log.. Malwarebytes' Anti-Malware 1.11 Database version: 663 Scan type: Quick Scan Objects scanned: 35681 Time elapsed: 18 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\kavo0.dll (Rootkit.Agent) -> Unloaded module successfully. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\kavo0.dll (Rootkit.Agent) -> Delete on reboot. Thanks again

LDTate View Member Profile	Apr 20 2008, 03:51 PM Post #6
Forum God Group: Root Admin Posts: 39,364 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Reboot and "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

Chillo View Member Profile	Apr 20 2008, 04:06 PM Post #7
New Member Group: Authentic Member Posts: 15 Joined: 20-April 08 Member No.: 78,540 Operating System: XP	here it is: Logfile of HijackThis v1.99.1 Scan saved at 3:04:49 PM, on 4/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\ZoomingHook.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TCtrlIOHook.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\program files\valve\steam\steam.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\WINDOWS\system32\RAMASST.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Orbitdownloader\orbitnet.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.ca R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.ca R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.ca R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.101 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe thanks again.. computer is doing fine as for now

LDTate View Member Profile	Apr 20 2008, 04:09 PM Post #8
Forum God Group: Root Admin Posts: 39,364 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Log looks good You need to create a new Clean restore point. Note: This will remove all previous Restore Points Turn off System Restore: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. Restart your computer, turn it back on. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Remove the Check Turn off System Restore. Click Apply, and then click OK. Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Check "Hide file extensions for known file types." Under the "Hidden files" folder, Uncheck "Show hidden files and folders." Check "Hide protected operating system files." Click Apply, and then click OK. If you dont have any programs like these, I would recommend that you get them. Spywareblaster, Spywareguard. Only run one Anti-Virus and Firewall program. It is critical to have both a firewall and anti virus to protect your system. Safe Surfing. I would also suggest you read this: So how did I get infected in the first place? by Tony Klein

Chillo View Member Profile	Apr 20 2008, 09:54 PM Post #9
New Member Group: Authentic Member Posts: 15 Joined: 20-April 08 Member No.: 78,540 Operating System: XP	Hey there.. I dont think its done yet =( a "1.exe" popped up..just like the kavo.exe before.. and i couldn't still view my hidden folder files..once i checked show hidden files to look for it..it doesnt and then i go back to folder options and the Do not show hidden files is checked..and it just keeps on going back to the "Do not show..." help again =S Thanks

Chillo View Member Profile	Apr 20 2008, 10:05 PM Post #10
New Member Group: Authentic Member Posts: 15 Joined: 20-April 08 Member No.: 78,540 Operating System: XP	also.. I ran my AVG Anti-Spyware and it found a threat called: " Trojan.OnLine.Games.thx "

Chillo View Member Profile	Apr 21 2008, 12:29 AM Post #11
New Member Group: Authentic Member Posts: 15 Joined: 20-April 08 Member No.: 78,540 Operating System: XP	UPDATE: Mbam log: Malwarebytes' Anti-Malware 1.11 Database version: 663 Scan type: Quick Scan Objects scanned: 35689 Time elapsed: 2 hour(s), 5 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\kavo1.dll (Rootkit.Agent) -> Unloaded module successfully. Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kava (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\kavo1.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\kavo.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

LDTate View Member Profile	Apr 21 2008, 05:42 AM Post #12
Forum God Group: Root Admin Posts: 39,364 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop -------------------------------------------------------------------- Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts Please do not re-connect your machine back to the Internet until Combofix has completely finished. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ** *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. Give it atleast 20-30 minutes to finish

Chillo

Apr 21 2008, 12:40 PM

Post #13

New Member

Group: Authentic Member
Posts: 15
Joined: 20-April 08
Member No.: 78,540
Operating System: XP

ComboFix Log:

ComboFix 08-04-20.5 - USER 2008-04-21 9:40:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.355 [GMT -7:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\JFGDZZBD\www.broadcaster.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 14:20 . 2008-04-20 14:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 14:20 . 2008-04-20 14:20 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Malwarebytes
2008-04-20 14:20 . 2008-04-20 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 21:25 . 2008-04-19 21:25 <DIR> d-------- C:\Documents and Settings\BACS\Application Data\Grisoft
2008-04-19 17:55 . 2008-04-19 17:55 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Grisoft
2008-04-19 17:47 . 2008-04-19 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-19 17:47 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-19 17:36 . 2008-04-20 20:50 117,409 -r-hs---- C:\h8i.com
2008-04-17 20:41 . 2008-04-18 15:15 116,274 -r-hs---- C:\dp.cmd
2008-04-16 22:41 . 2008-04-16 22:41 <DIR> d---s---- C:\Documents and Settings\BACS\UserData
2008-04-15 19:57 . 2008-04-15 19:56 116,360 -r-hs---- C:\bqk.bat
2008-04-13 19:09 . 2008-04-13 19:09 116,759 -r-hs---- C:\vt6e.cmd
2008-04-09 23:30 . 2008-04-09 23:30 <DIR> d-------- C:\Documents and Settings\BACS\Application Data\Talkback
2008-04-09 23:29 . 2008-04-16 22:40 <DIR> d-------- C:\Documents and Settings\BACS\Contacts
2008-04-09 23:08 . 2008-04-20 16:05 <DIR> d-------- C:\Documents and Settings\BACS\Application Data\Orbit
2008-04-09 23:08 . 2008-04-16 22:43 <DIR> d-------- C:\Documents and Settings\BACS\Application Data\Apple Computer
2008-04-09 23:07 . 2005-01-26 17:03 <DIR> d-------- C:\Documents and Settings\BACS\WINDOWS
2008-04-09 23:07 . 2005-01-26 17:07 <DIR> d-------- C:\Documents and Settings\BACS\Application Data\toshiba
2008-04-09 23:07 . 2005-01-26 18:03 <DIR> d-------- C:\Documents and Settings\BACS\Application Data\Symantec
2008-04-09 23:07 . 2005-01-26 17:01 <DIR> d-------- C:\Documents and Settings\BACS\Application Data\InterTrust
2008-04-09 23:07 . 2008-04-16 22:41 <DIR> d-------- C:\Documents and Settings\BACS
2008-04-09 23:07 . 2008-04-21 09:39 1,024 --ah----- C:\Documents and Settings\BACS\ntuser.dat.LOG
2008-03-31 14:07 . 2008-03-31 14:07 39,944 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-22 10:06 . 2008-03-22 10:06 <DIR> d-------- C:\Program Files\Safari
2008-03-22 10:04 . 2008-04-21 09:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 10:04 . 2008-03-22 10:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-22 10:03 . 2008-03-22 10:03 <DIR> d-------- C:\Program Files\iTunes
2008-03-22 09:59 . 2008-03-22 10:00 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 16:12 --------- d-----w C:\Documents and Settings\USER\Application Data\Orbit
2008-04-18 22:21 --------- d-s---w C:\Program Files\LimeWire
2008-04-18 22:13 --------- d-----w C:\Program Files\Incomplete
2008-04-18 16:34 --------- d-----w C:\Documents and Settings\USER\Application Data\LimeWire
2008-04-18 16:17 --------- d-----w C:\Program Files\XoftSpySE
2008-04-15 18:14 --------- d-----w C:\Program Files\DivX
2008-04-15 03:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 05:19 --------- d-----w C:\Program Files\Orbitdownloader
2008-04-03 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-29 21:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-24 18:02 --------- d-----w C:\Program Files\TVUPlayer
2008-03-22 18:44 --------- d-----w C:\Documents and Settings\USER\Application Data\Apple Computer
2008-03-22 17:03 --------- d-----w C:\Program Files\iPod
2008-03-20 07:30 --------- d-----w C:\Documents and Settings\USER\Application Data\TVU networks
2008-03-20 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 05:50 --------- d-----w C:\Program Files\MSN Messenger
2008-03-11 02:15 --------- d-----w C:\Program Files\Windows Live
2008-03-11 02:03 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-11 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-05 20:41 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-03-04 02:32 --------- d-----w C:\Documents and Settings\USER\Application Data\gtk-2.0
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-21 22:40 114 ----a-w C:\sccfg.sys
2007-04-03 14:01 34,293 ----a-w C:\Documents and Settings\Fonts\fatboyslim.zip
2007-04-03 11:49 7,634 ----a-w C:\Documents and Settings\Fonts\transformers.zip
2007-04-03 11:42 18,957 ----a-w C:\Documents and Settings\Fonts\minnesotatimberwolves.zip
2007-04-03 11:24 22,868 ----a-w C:\Documents and Settings\Fonts\playstation.zip
2007-04-03 11:23 41,601 ----a-w C:\Documents and Settings\Fonts\subway.zip
2007-04-03 11:21 12,216 ----a-w C:\Documents and Settings\Fonts\starskyandhutch.zip
2007-04-03 11:20 60,020 ----a-w C:\Documents and Settings\Fonts\mountaindew.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 06:49 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" [ ]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-03-29 13:59 1271032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 22:10 344064]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-24 07:01 5419008]
"nwiz"="nwiz.exe" [2004-11-24 07:01 1490944 C:\WINDOWS\system32\nwiz.exe]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-11-29 10:10 667648]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 07:40 196608]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 22:06 53248]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 10:34 278528 C:\WINDOWS\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [2004-07-14 17:07 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 16:03 135168]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-23 19:07 28672]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2004-12-07 06:24 24576]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-30 02:05 127035]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 18:57 73728]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-06-29 19:04 1077326]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-12-27 11:26 61440]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-06 07:47 88363 C:\WINDOWS\agrsmmsg.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-01-23 22:51 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"CFSServ.exe"="CFSServ.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-14 20:10 116328]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-21 22:26 694272]
"XoftSpySE"="C:\Program Files\XoftSpySE\xoftspy.exe" [2007-10-24 11:59 728576]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19 15872]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 14:41:35 147456]

C:\Documents and Settings\USER\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 10:57:16 2913584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-13 13:44:06 29696]
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2008-01-09 01:26:15 1678536]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-01-26 16:53:14 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 16:18]
S3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 14:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{629ca93e-8a7e-11dc-ab08-0012f08fe389}]
\Shell\AutoRun\command - F:\wkcay8u.cmd
\Shell\explore\Command - F:\wkcay8u.cmd
\Shell\open\Command - F:\wkcay8u.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ad72958-b90c-11dc-ab5b-0012f08fe389}]
\Shell\AutoRun\command - E:\vt6e.cmd
\Shell\explore\Command - E:\vt6e.cmd
\Shell\open\Command - E:\vt6e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d91ad45-e318-11dc-abd6-0012f08fe389}]
\Shell\AutoRun\command - F:\vt6e.cmd
\Shell\explore\Command - F:\vt6e.cmd
\Shell\open\Command - F:\vt6e.cmd

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 16:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 16:10:06 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-21 16:09:29 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 09:46:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 9:49:13
ComboFix-quarantined-files.txt 2008-04-21 16:49:04

Pre-Run: 11,200,196,608 bytes free
Post-Run: 11,313,651,712 bytes free

190 --- E O F --- 2008-04-10 04:00:53

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

HiJackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:12 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe