Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91636 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Computer Unusable! Spyware desktop background and


  • This topic is locked This topic is locked
57 replies to this topic

#1 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 28 April 2008 - 09:17 PM

Last night I had left my computer with Internet Explorer open only to find that it has become completely unusable. It has as wallpaper a blue background with a rectangular box in the middle. The top half of this box is yellow and says "Warning! Spyware detected on your computer." The bottom half is blue and says "Install an antivirus or spyware remover to clean your computer."

I am unable to run any programs, including msconfig to restore to normal startup. The only way I could get Hijackthis to run was by starting in safe mode with command prompt. Hijack this is on a thumb drive. I saw this same post a few days ago, but noticed it was closed today. I am opening another thread on this topic as a separate issue. Log is as follows:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:55 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\cmd.exe
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toolbar.google.com/done
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [{DA-A7-73-3C-DW}] c:\windows\system32\jlwnw64n.exe DWram
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Administrator\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Tommy\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [VirusHeat 4.3] "C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [advap32] C:\WINDOWS\TEMP\151F.tmp/r
O4 - HKLM\..\Run: [3511] C:\WINDOWS\TEMP\3511.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Administrator\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\WINDOWS\system32\config\systemprofile\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WintelUpdate] C:\WINDOWS\TEMP\E4F.tmp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kavir] C:\WINDOWS\kavir.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202624207765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - C:\WINDOWS\system32\zfaiqwr.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tbXk\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8681 bytes

Anything look suspicious?? Thanks in advance!

    Advertisements

Register to Remove


#2 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 03 May 2008 - 05:56 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

Sorry about the delay in responding :( The forums have been very busy

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

Also please make an uninstall list and post that as well

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.


Gringo


#3 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 03 May 2008 - 07:38 PM

Here is the dump of my uninstalllist.txt. Sorry, but I did run combofix.exe yesterday in an attempt to get my desktop back...it didn't work. i will wait to hear from you before I do anything else. After the uninstalllist.txt I attached an updated hijackthis log file also just to be up to date.

UNINSTALL LIST:
ABC (remove only)
AC97 Data Fax SoftModem with SmartCP
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
AOL Uninstaller (Choose which Products to Remove)
ArcSoft Software Suite
AT&T Connection Services Manager
Atheros Client Utility
Atheros Wireless LAN MiniPCI card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AviSplit Classic Version 1.43
BitTorrent 4.26.0
BlackBerry Desktop Software 4.0.1
BlackBerry Desktop Software 4.0.1
BroadJump Client Foundation
Brush Lettering Software
CD/DVD Drive Acoustic Silencer
Cda Product Service - shared component
Conexant AC-Link Audio
DivX Web Player
DVD-RAM Driver
Family Feud (remove only)
Google Earth
Google Toolbar for Internet Explorer
GTK+ 2.8.18-1 runtime environment
HijackThis 2.0.2
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB926239)
Inkscape 0.45.1
InterVideo WinDVD for TOSHIBA
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 2
Learn2 Player (Uninstall Only)
Lexmark Z600 Series
LimeWire 4.10.9
MAGIX Music Manager
MAGIX Photo Manager
MAGIX Photostory on CD & DVD 4.0
McAfee SecurityCenter
McAfee VirusScan
MediaCoder 0.6.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.14)
MyPublisher BookMaker
MySidesearch Search Assistant Adzgalore
Notebook Maximizer
OpenOffice.org 2.0
Paint Shop Pro 7 ESD
Phun beta 3.12
Picasa 2
Pure Networks Port Magic
Quicken 2005
QuickTime
RealPlayer Basic
REALTEK Gigabit and Fast Ethernet NIC Driver
RocketFish Webcam
SBC Self Support Tool
Skype™ 3.6
Sonic DLA
Sonic RecordNow!
Switch
Synaptics Pointing Device Driver
The GIMP 2.2.12
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA PC Diagnostic Tool
Toshiba Q4 Retail Demo ScreenSaver
Toshiba Registration
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
Toshiba Touchpad Utility
Toshiba Utility
TOSHIBA Zooming Utility
Touch and Launch
TurboTax 2005
TurboTax ItsDeductible 2005
Update for Windows XP (KB898461)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WexTech AnswerWorks
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
Yahoo! Install Manager


________________________________
________________________________
________________________________

HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:39 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicr...s/?hjtver=2.0.2
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [{DA-A7-73-3C-DW}] c:\windows\system32\jlwnw64n.exe DWram
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202624207765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfGVpon - khfGVpon.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - C:\WINDOWS\system32\zfaiqwr.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6202 bytes

#4 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 03 May 2008 - 07:54 PM

Also, I forgot to mention that i can get into task manager while in safe mode. So I can start new tasks. If I run 'explorer.exe' my desktop will appear and I have access to all my files. I have been backing up my pictures and documents this way. Just FYI if this allows for other debug options.

#5 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 03 May 2008 - 08:27 PM

hello milkman0

I would like to see the combofix log
it should be located here C:\ComboFix.txt it is on the c drive named combofix

let me see this as soon as posible

gringo

#6 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 03 May 2008 - 08:54 PM

As requested, my combofix log file:

ComboFix 08-04-29.3 - Administrator 2008-04-29 22:32:06.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\Tommy\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\Tommy\Application Data\macromedia\Flash Player\#SharedObjects\Q8BBKYQ7\www.broadcaster.com
C:\Documents and Settings\Tommy\Application Data\macromedia\Flash Player\#SharedObjects\Q8BBKYQ7\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Tommy\Application Data\macromedia\Flash Player\#SharedObjects\Q8BBKYQ7\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Tommy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Tommy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Tommy\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\Tommy\Favorites\Online Security Test.url
C:\Documents and Settings\Tommy\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Tommy\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Tommy\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Tommy\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Tommy\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Tommy\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Tommy\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\AntiVirusPro
C:\Program Files\Helper
C:\Program Files\ISM
C:\Program Files\NetProject
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrModule
C:\Program Files\QdrPack
C:\Program Files\sstem~1
C:\Program Files\sstem~1\mshta.exe
C:\Program Files\sstem~1\s?stem\
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msacm32.drv
C:\WINDOWS\muotr.so
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\?srss.exe
C:\WINDOWS\sdfixwcs.dll
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\b1\cbwa3ui.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\DfNWwyay.ini
C:\WINDOWS\system32\DfNWwyay.ini2
C:\WINDOWS\system32\drivers\bjq76.sys
C:\WINDOWS\system32\drivers\nwlnkfwdd.sys
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\hqiopa.sys
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\khfGVpon.dll
C:\WINDOWS\system32\lbbngj.dll
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\n3\predircom3.exe
C:\WINDOWS\system32\yaywWNfD.dll
C:\WINDOWS\wuasirvy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NWLNKFWDD
-------\Service_bjq76
-------\Service_MsSecurity1.209.4
-------\Service_nwlnkfwdd


((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-04-29 21:39 . 2008-04-29 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 07:37 . 2008-04-29 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 19:56 . 2005-08-09 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-27 19:56 . 2005-08-09 15:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-27 19:56 . 2005-08-09 15:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-27 19:56 . 2005-08-09 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-27 19:56 . 2005-08-09 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-27 19:56 . 2006-03-12 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-27 19:56 . 2008-04-29 22:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-27 19:56 . 2008-05-03 18:07 24,576 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-27 19:46 . 2008-04-27 19:46 578 --a------ C:\WINDOWS\index.html
2008-04-27 16:39 . 2008-04-27 16:39 49,172 --a------ C:\WINDOWS\system32\jlwnw64n.exe
2008-04-27 16:39 . 2008-04-27 16:39 0 --a------ C:\Documents and Settings\Tommy\AntiVirusPro.exe.log
2008-04-27 16:25 . 2008-04-27 16:25 13,824 --a------ C:\dssic.exe
2008-04-27 16:24 . 2008-04-27 16:24 89,070 --a------ C:\WINDOWS\system32\myss_sb_uninstall.exe
2008-04-27 16:24 . 2008-04-27 16:24 14,336 --a------ C:\zHGq.exe
2008-04-27 16:18 . 2008-04-27 16:18 298,309 --a------ C:\WINDOWS\system32\gside.exe
2008-04-27 16:18 . 2008-04-27 16:18 200,776 --a------ C:\WINDOWS\system32\kcntmkdn.exe
2008-04-27 16:18 . 2008-04-27 16:18 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-27 16:11 . 2008-04-27 16:11 36,864 --a------ C:\WINDOWS\system32\fadgsd.exe
2008-04-27 16:11 . 2008-04-27 16:11 36,864 --a------ C:\WINDOWS\fghetygndf.exe
2008-04-27 16:11 . 2008-04-27 16:11 20,480 --a------ C:\WINDOWS\quit.exe
2008-04-27 16:08 . 2008-04-29 22:08 <DIR> d-------- C:\WINDOWS\VG9tbXk
2008-04-27 16:07 . 2008-04-27 16:07 <DIR> d-------- C:\WINDOWS\system32\wTMP
2008-04-27 16:07 . 2008-04-27 16:07 <DIR> d-------- C:\WINDOWS\system32\pnVes06
2008-04-27 16:07 . 2008-04-27 16:07 <DIR> d-------- C:\Temp\zvebs14
2008-04-27 16:07 . 2008-04-27 16:07 <DIR> d-------- C:\Temp\kvebs14
2008-04-27 16:07 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-11 08:46 . 2008-04-11 08:46 334,848 --a------ C:\WINDOWS\system32\myss_sb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 22:55 --------- d-----w C:\Documents and Settings\Tommy\Application Data\OpenOffice.org2
2008-03-28 16:01 --------- d-----w C:\Documents and Settings\Tommy\Application Data\skypePM
2008-03-25 19:22 --------- d-----w C:\Documents and Settings\Tommy\Application Data\Skype
2008-03-11 15:32 --------- d-----w C:\Program Files\Phun
2008-03-09 04:47 --------- d-----w C:\Program Files\MediaCoder
2008-03-06 05:28 --------- d-----w C:\Documents and Settings\Tommy\Application Data\gtk-2.0
2008-03-05 03:13 --------- d-----w C:\Program Files\Inkscape
2008-03-05 03:13 --------- d-----w C:\Documents and Settings\Tommy\Application Data\Inkscape
2008-02-10 05:26 30,720 ---h--r C:\WINDOWS\CdaC13BA.EXE
2008-02-10 05:26 112,128 ---h--r C:\WINDOWS\CdaC14BA.DLL
2008-02-10 05:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-04 04:30 1,304,066 ----a-w C:\Program Files\mpc2kxp6482.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"NDSTray.exe"="NDSTray.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-22 12:47 155648]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-11-29 02:11 258048]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-14 23:21 675840]
"CFSServ.exe"="CFSServ.exe" []
"{DA-A7-73-3C-DW}"="c:\windows\system32\jlwnw64n.exe" [2008-04-27 16:39 49172]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 18:17 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{b0fdc513-46b9-46fc-8e70-d575ee546dae}"= C:\WINDOWS\system32\zfaiqwr.dll [2008-04-27 16:28 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGVpon]
khfGVpon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\option]
UseAlternateShell REG_DWORD 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"= cmd.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tommy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Tommy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2006-10-10 14:23 43520 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 09:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 19:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 13:05 212992 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
--a------ 2004-05-25 14:35 28672 C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-11 23:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-09-07 14:03 1077301 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 17:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-22 12:47 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-26 16:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 12:17 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 00:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a------ 2005-10-18 15:04 1261568 c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-08-10 13:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 19:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 21:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2005-05-09 15:17]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 14:27]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-31 17:08]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-06-13 15:16]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-12-27 06:10]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186f05-bbbb-4a39-864f-72d84615c679}]
rundll32 sockins32.dll,InitModule
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 18:07:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 501248 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
.
**************************************************************************
.
Completion time: 2008-05-03 18:13:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 01:13:10

Pre-Run: 27,675,795,456 bytes free
Post-Run: 27,831,848,960 bytes free

275

#7 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 03 May 2008 - 09:47 PM

hello milkman0

: rename hijackthis :

while I go over the combofix log I would like to try something

Right-click on HijackThis.exe & select Rename to milkman.exe after you have renamed hijackthis
right click on it and create a new shortcut and put it on your desktop
then post back a new Hijackthis log.

do this in normal mode let me know if this works

also when you say you can't run any programs are you just talking security type programs or all programs in general


gringo

#8 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 03 May 2008 - 10:20 PM

I cannot run anything in normal mode. When I enter windows normally the background is just plain blue (after running combofix, used to be a warning background), and when I try to ctrl-alt-del it says 'task manager is disabled by the administrator'. I only have one windows account so it automatically logs in. When I enter in safe mode I have the option of logging in as administrator or my normal account. I tried renaming hijackthis and putting a shortcut on the desktop in safe mode, but it still didn't show on the desktop in normal mode.

#9 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 03 May 2008 - 11:13 PM

hello milkman

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

KILLALL::

File::
C:\WINDOWS\system32\jlwnw64n.exe
C:\Documents and Settings\Tommy\AntiVirusPro.exe.log
C:\dssic.exe
C:\WINDOWS\system32\myss_sb_uninstall.exe
C:\zHGq.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\kcntmkdn.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\fadgsd.exe
C:\WINDOWS\fghetygndf.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\myss_sb.dll
C:\WINDOWS\system32\zfaiqwr.dll 

Folder::
C:\WINDOWS\VG9tbXk
C:\WINDOWS\system32\wTMP
C:\WINDOWS\system32\pnVes06
C:\Temp\zvebs14
C:\Temp\kvebs14
C:\Temp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{DA-A7-73-3C-DW}"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{b0fdc513-46b9-46fc-8e70-d575ee546dae}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGVpon]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186f05-bbbb-4a39-864f-72d84615c679}]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]


Rootkit::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clb.dll 
C:\WINDOWS\system32\clbcatex.dll 
C:\WINDOWS\system32\clbcatq.dll 
C:\WINDOWS\system32\clbcfg.dat 
C:\WINDOWS\system32\clbdll.dll



Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:information and logs:

In your next post I need the following

1.the new log from combofix
2.what antivirus are you using?
3. let me know if things get better
[/list]
Gringo


#10 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 04 May 2008 - 12:00 AM

I ran the cfscript.txt from safe mode. My system restarted and I boot into normal windows, which didn't show any signs of improvement (still blue backgorund, no desltop, etc.). I restarted into safe mode again and ComboFix finished running. I received the following error several times throughout this process:

regt.cfexe.- This application has failed to start because clb.dll was not found. Re-installing the application may fix this problem.

after the log file from ComboFix was generated I received another error:

regedit.exe - This application has failed...ditto.

Looks like a .dll was deleted, do you know what regt.cfexe is used for? Regarding what you asked for...

1.the new log from combofix
-Below

2.what antivirus are you using?
-I was using Grisoft's AVG as my primary antivirus program, however, I don't think it had the updated database, and I question whether it was setup to always run in the background. I used to get a lot of messages from AVG, but the last couple of months I haven't seen any. At one point I was also using AntiVir concurrently, but switched to just using AVG.

3. let me know if things get better
-There was no noticeable improvement in my system. I see the same symptoms when entering windows normally. I get a blue background with no desktop icons or start menu. If I try to ctrl-alt-del it stills says "task manager has been disabled by your administrator". I am forced to perform a power button override to exit from this state.


---------------------------------------------------------------
---------------------------------------------------------------
ComboFix 08-04-29.3 - Administrator 2008-05-03 22:27:28.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.77 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Tommy\AntiVirusPro.exe.log
C:\dssic.exe
C:\WINDOWS\fghetygndf.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\fadgsd.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\jlwnw64n.exe
C:\WINDOWS\system32\kcntmkdn.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\myss_sb.dll
C:\WINDOWS\system32\myss_sb_uninstall.exe
C:\WINDOWS\system32\zfaiqwr.dll
C:\zHGq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tommy\AntiVirusPro.exe.log
C:\dssic.exe
C:\Temp
C:\Temp\kvebs14\zvKarru.log
C:\WINDOWS\fghetygndf.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\clb.dll
C:\WINDOWS\system32\clbcatex.dll
C:\WINDOWS\system32\clbcatq.dll
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\fadgsd.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\jlwnw64n.exe
C:\WINDOWS\system32\kcntmkdn.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\myss_sb.dll
C:\WINDOWS\system32\myss_sb_uninstall.exe
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pnVes06\pnVes061083.exe
C:\WINDOWS\system32\wTMP
C:\WINDOWS\system32\wTMP\idevdpll.exe
C:\WINDOWS\system32\zfaiqwr.dll
C:\WINDOWS\VG9tbXk
C:\zHGq.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-03 21:12 . 2007-06-28 14:36 401,720 --a------ C:\milkman.exe
2008-04-29 21:39 . 2008-04-29 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 07:37 . 2008-04-29 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 19:56 . 2005-08-09 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-27 19:56 . 2005-08-09 15:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-27 19:56 . 2005-08-09 15:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-27 19:56 . 2005-08-09 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-27 19:56 . 2005-08-09 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-27 19:56 . 2006-03-12 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-27 19:56 . 2008-04-29 22:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-27 19:56 . 2008-05-03 22:46 16,384 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-27 19:46 . 2008-04-27 19:46 578 --a------ C:\WINDOWS\index.html
2008-04-27 16:07 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 22:55 --------- d-----w C:\Documents and Settings\Tommy\Application Data\OpenOffice.org2
2008-03-28 16:01 --------- d-----w C:\Documents and Settings\Tommy\Application Data\skypePM
2008-03-25 19:22 --------- d-----w C:\Documents and Settings\Tommy\Application Data\Skype
2008-03-11 15:32 --------- d-----w C:\Program Files\Phun
2008-03-09 04:47 --------- d-----w C:\Program Files\MediaCoder
2008-03-06 05:28 --------- d-----w C:\Documents and Settings\Tommy\Application Data\gtk-2.0
2008-03-05 03:13 --------- d-----w C:\Program Files\Inkscape
2008-03-05 03:13 --------- d-----w C:\Documents and Settings\Tommy\Application Data\Inkscape
2008-02-10 05:26 30,720 ---h--r C:\WINDOWS\CdaC13BA.EXE
2008-02-10 05:26 112,128 ---h--r C:\WINDOWS\CdaC14BA.DLL
2008-02-10 05:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-04 04:30 1,304,066 ----a-w C:\Program Files\mpc2kxp6482.zip
.

((((((((((((((((((((((((((((( snapshot@2008-05-03_18.12.25.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00:00 110,080 -c--a-w C:\WINDOWS\$NtUninstallKB895200$\clbcatex.dll
+ 2004-08-04 12:00:00 501,248 -c--a-w C:\WINDOWS\$NtUninstallKB895200$\clbcatq.dll
- 2008-05-04 00:57:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 05:36:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-04 00:57:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-04 05:24:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 00:57:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-04 05:24:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-04 00:57:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-04 05:24:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"NDSTray.exe"="NDSTray.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-22 12:47 155648]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-11-29 02:11 258048]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-14 23:21 675840]
"CFSServ.exe"="CFSServ.exe" []
"combofix"="C:\WINDOWS\system32\CF18978.exe" [2004-08-04 05:00 388608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="C:\WINDOWS\system32\CF18978.exe" [2004-08-04 05:00 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 18:17 443968]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\option]
UseAlternateShell REG_DWORD 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"= cmd.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tommy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Tommy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2006-10-10 14:23 43520 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 09:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 19:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 13:05 212992 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
--a------ 2004-05-25 14:35 28672 C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-11 23:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-09-07 14:03 1077301 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 17:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-22 12:47 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-26 16:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 12:17 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 00:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a------ 2005-10-18 15:04 1261568 c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-08-10 13:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 19:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 21:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2005-05-09 15:17]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 14:27]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-31 17:08]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-06-13 15:16]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-12-27 06:10]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 22:46:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-03 22:52:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 05:52:23
ComboFix2.txt 2008-05-04 01:13:25

Pre-Run: 28,378,980,352 bytes free
Post-Run: 28,366,012,416 bytes free

226

    Advertisements

Register to Remove


#11 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 04 May 2008 - 12:03 AM

I would just like to add that this is an awesome forum you have here! Thank you for all of your help so far, you guys are a dedicated group. I appreciate the quick replies and genuine willingness to help me and everyone else out there with these type of issues. Thanks! :D

#12 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 04 May 2008 - 01:30 AM

hello milkman

I would just like to add that this is an awesome forum you have here! Thank you for all of your help so far, you guys are a dedicated group. I appreciate the quick replies and genuine willingness to help me and everyone else out there with these type of issues. Thanks!

you are very welcome :thumbup:


ok, you can download a clean version of clb.dll here

after you downloadload it you need to unzip it and put it in your system32 folder
let me know if you need help with this.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

: Download and Run DSS :

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

:information and logs:

In your next post I need the following

1.log from combofix
2.log from MBAM
3.log from DSS
4.new log from hijackthis
[/list]
Gringo


#13 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 04 May 2008 - 09:54 AM

Just a note I took the log file from mb scan bfore I clicked removed all, so the status says no action taken, however all these were quartentined.


1.log from combofix

ComboFix 08-04-29.3 - Administrator 2008-05-04 7:52:00.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-04 07:49 . 2004-05-13 15:17 10,752 --a------ C:\WINDOWS\system32\clb.dll
2008-05-04 07:49 . 2008-05-04 07:31 5,786 --a------ C:\WINDOWS\system32\clb[1].dll.zip
2008-05-03 21:12 . 2007-06-28 14:36 401,720 --a------ C:\milkman.exe
2008-04-29 21:39 . 2008-04-29 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 07:37 . 2008-04-29 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 19:56 . 2005-08-09 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-27 19:56 . 2005-08-09 15:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-27 19:56 . 2005-08-09 15:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-27 19:56 . 2005-08-09 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-27 19:56 . 2005-08-09 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-27 19:56 . 2006-03-12 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-27 19:56 . 2008-04-29 22:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-27 19:56 . 2008-05-04 07:54 544,768 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-27 19:46 . 2008-04-27 19:46 578 --a------ C:\WINDOWS\index.html
2008-04-27 16:07 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 23:37 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-04-27 22:55 --------- d-----w C:\Documents and Settings\Tommy\Application Data\OpenOffice.org2
2008-03-28 16:01 --------- d-----w C:\Documents and Settings\Tommy\Application Data\skypePM
2008-03-25 19:22 --------- d-----w C:\Documents and Settings\Tommy\Application Data\Skype
2008-03-11 15:32 --------- d-----w C:\Program Files\Phun
2008-03-09 04:47 --------- d-----w C:\Program Files\MediaCoder
2008-03-06 05:28 --------- d-----w C:\Documents and Settings\Tommy\Application Data\gtk-2.0
2008-03-05 03:13 --------- d-----w C:\Program Files\Inkscape
2008-03-05 03:13 --------- d-----w C:\Documents and Settings\Tommy\Application Data\Inkscape
2008-02-10 05:26 30,720 ---h--r C:\WINDOWS\CdaC13BA.EXE
2008-02-10 05:26 112,128 ---h--r C:\WINDOWS\CdaC14BA.DLL
2008-02-10 05:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-04 04:30 1,304,066 ----a-w C:\Program Files\mpc2kxp6482.zip
.

((((((((((((((((((((((((((((( snapshot@2008-05-03_18.12.25.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00:00 110,080 -c--a-w C:\WINDOWS\$NtUninstallKB895200$\clbcatex.dll
+ 2004-08-04 12:00:00 501,248 -c--a-w C:\WINDOWS\$NtUninstallKB895200$\clbcatq.dll
- 2008-05-04 00:57:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 14:48:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-04 00:57:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-04 05:24:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 00:57:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-04 05:24:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"NDSTray.exe"="NDSTray.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-22 12:47 155648]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-11-29 02:11 258048]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-14 23:21 675840]
"CFSServ.exe"="CFSServ.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 18:17 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tommy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Tommy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2006-10-10 14:23 43520 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 09:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 19:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 13:05 212992 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
--a------ 2004-05-25 14:35 28672 C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-11 23:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-09-07 14:03 1077301 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 17:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-22 12:47 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-26 16:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 12:17 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 00:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a------ 2005-10-18 15:04 1261568 c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-08-10 13:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 19:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 21:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2005-05-09 15:17]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 14:27]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-31 17:08]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-06-13 15:16]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-12-27 06:10]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 07:55:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-04 7:56:57
ComboFix-quarantined-files.txt 2008-05-04 14:56:48
ComboFix2.txt 2008-05-04 05:52:35
ComboFix3.txt 2008-05-04 01:13:25

Pre-Run: 28,368,367,616 bytes free
Post-Run: 28,358,467,584 bytes free

170



2.log from MBAM

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Full Scan (C:\|)
Objects scanned: 104540
Time elapsed: 41 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{19c33a6b-8066-4a9a-9ec0-c3d6f01529a4} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{06faccd2-c7bb-4612-88de-338120477578} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0bc37c25-432c-4ec4-95b4-0f860c1bdfe3} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{18c0c3dc-9b12-45c8-8243-11a32babc050} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{20b5789d-76b8-41c3-92d2-72b322d0d81d} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248c5ea6-af58-4a11-97a4-72b183232e58} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e8986d0-b571-4a3a-a831-0621cfcd7be1} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{30073d4c-957a-4a2b-8dc7-ff57ea3d3dfb} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{30576ee7-054c-4faf-801b-703845928839} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{59fe90af-3bf6-489b-9181-b1ee2a6ce64a} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{65f3c1a2-ec45-445f-b2e5-7fff05344ca0} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{78f4493f-42f4-4ef6-a417-042dd0a7e0af} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{818dd1ed-83b4-4ef0-99f9-e4a6d73e2456} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{853be7bd-f267-4750-b072-2b6b11d3d70c} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{8eb10171-6058-4822-baf3-3da829caca4e} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{91a4a1c5-7fe7-41f1-9d23-cee9d3064175} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{91bd0deb-7196-46b1-9cd0-c26b7b3ab72e} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{93c9f61d-51b6-47ee-8fe5-36185021222b} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{99bcd932-0d63-4f7e-8faa-dbd12b9f494c} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9b99e76d-9081-41c2-ae6e-e43cf752ac71} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9da1ffd9-3cd7-4cb5-8c0b-dcdea5663ae0} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{abe1716e-6f32-4d6f-8f3d-73425d396bdb} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{ae4a9ec4-1dfe-425f-8fc7-501fb6cbf132} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{c53fef45-3339-4d96-83c7-2f4bf389fa7b} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cd0ab90e-4a7f-4f0e-9cfa-5cc428649265} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e0271652-93b4-4bc5-afc7-fb41e0d5004c} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e187f1a7-86bf-4df8-8d3c-33c1d1e50f3a} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e98f32d4-89dd-4e7d-96b8-e1b8d1c22eb2} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f3847cce-f74a-43ea-a323-3ac984c3443e} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{ffe3c26d-fa6d-4884-bd7a-bc1d778eee94} (Rogue.AntiVirusPro) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{f4aaeb6d-3735-45aa-a22b-924cc4882d9c} (Rogue.AntiVirusPro) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl (Trojan.Zlob) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Tommy\Start Menu\Programs\VirusHeat 4.3 (Rogue.VirusHeat) -> No action taken.

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2J8Z0F8J\sdferw[1].htm (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir (Adware.WebHancer) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whagent.exe.vir (Adware.WebHancer) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whiehlpr.dll.vir (Adware.WebHancer) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\whinstaller.exe.vir (Adware.WebHancer) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\b1\cbwa3ui.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\wTMP\idevdpll.exe.vir (Adware.ZenoSearch) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063348.dll (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063349.exe (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063351.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063352.dll (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063359.dll (Adware.E404) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063384.exe (Trojan.DNSChanger) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063389.dll (Adware.TargetSaver) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0063398.vbs (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064410.dll (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064411.exe (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064413.dll (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064414.exe (Adware.WebHancer) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064430.dll (Adware.E404) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064432.dll (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064433.dll (Adware.TargetSaver) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064436.exe (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064442.dll (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064444.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064450.exe (Trojan.DNSChanger) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064474.vbs (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0064482.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP593\A0069694.exe (Adware.ZenoSearch) -> No action taken.
C:\Documents and Settings\Tommy\Start Menu\Programs\VirusHeat 4.3\Uninstall VirusHeat 4.3.lnk (Rogue.VirusHeat) -> No action taken.
C:\Documents and Settings\Tommy\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3 Website.lnk (Rogue.VirusHeat) -> No action taken.
C:\Documents and Settings\Tommy\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> No action taken.
C:\Documents and Settings\Tommy\Start Menu\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> No action taken.
C:\Documents and Settings\Tommy\Desktop\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> No action taken.
C:\Documents and Settings\Tommy\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> No action taken.



3.log from DSS
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.50GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 190.17 MiB / 68.52 MiB
Pagefile Memory (total/avail): 465.39 MiB / 382.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.28 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 26.39 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2060AH - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:

\\.\PHYSICALDRIVE1 - Kingston DataTraveler 2.0 USB Device - 3.75 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 3.75 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition Classic v0.0.0.0 (Avira GmbH) Disabled
AV: Avira AntiVir PersonalEdition Classic v0.0.0.0 (Avira GmbH)
AV: McAfee VirusScan v (McAfee) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ZIMMERMANN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
GETMODEL=Satellite L25
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\ZIMMERMANN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Mame;C:\Downloads\libxml2-2.6.30.win32\bin;C:\Downloads\libxslt-1.1.22.win32\bin;C:\Downloads\iconv-1.9.2.win32\bin;C:\Downloads\zlib-1.2.3.win32\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=ZIMMERMANN
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Tommy (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABC (remove only) --> C:\Program Files\ABC\Uninstall.exe
AC97 Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_FF311179\HXFSETUP.EXE -U -ItosEW6mk.INF
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA561482-C49D-4687-A61C-96236C1688F0}\Setup.exe" -l0x9
AT&T Connection Services Manager --> C:\WINDOWS\WNBackup\WnClient62\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient62\install.log "AT&T Connection Services Manager"
Atheros Client Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}\setup.exe" -l0x9
Atheros Wireless LAN MiniPCI card Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}\Setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AviSplit Classic Version 1.43 --> "C:\Program Files\AviSplit classic\unins000.exe"
BitTorrent 4.26.0 --> "C:\Program Files\BitTorrent\uninstall.exe"
BlackBerry Desktop Software 4.0.1 --> MsiExec.exe /I{A178D0EF-B921-4B01-8ECA-17E03634AE10}
BlackBerry Desktop Software 4.0.1 --> MsiExec.exe /i{A178D0EF-B921-4B01-8ECA-17E03634AE10}
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Brush Lettering Software --> C:\PROGRA~1\EKSUCC~1\BRUSHL~1\UNWISE.EXE C:\PROGRA~1\EKSUCC~1\BRUSHL~1\INSTALL.LOG
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
Cda Product Service - shared component --> C:\WINDOWS\CdaC13BA.EXE /uninstall
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -ItosEW6a.INF
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe" -l0x9 DVD-RAM Driver
Family Feud (remove only) --> "C:\Program Files\Family Feud\Uninstall.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar5.dll"
GTK+ 2.8.18-1 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\unins000.exe"
HijackThis 2.0.2 --> "E:\HijackThis.exe" /uninstall
Inkscape 0.45.1 --> "C:\Program Files\Inkscape\uninst.exe"
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{78F4DFCE-1336-4027-BCB2-1A00C24A8653} /l1033
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark Z600 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
LimeWire 4.10.9 --> "C:\Program Files\LimeWire\uninstall.exe"
MAGIX Music Manager --> C:\MAGIX\Music_Manager\instslct.exe
MAGIX Photo Manager --> C:\MAGIX\Photo_Manager\instslct.exe
MAGIX Photostory on CD & DVD 4.0 --> C:\MAGIX\Photostory_on_CD_DVD_4\instslct.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\MBAnti-Malware\unins000.exe"
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
MediaCoder 0.6.0 --> C:\Program Files\MediaCoder\uninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MyPublisher BookMaker --> C:\Program Files\MyPublisher\BookMaker\BookMaker.exe -uninstall
MySidesearch Search Assistant Adzgalore --> C:\WINDOWS\system32\myss_sb_uninstall.exe
Notebook Maximizer --> C:\WINDOWS\iun6002.exe "C:\Program Files\Notebook Maximizer\irunin.ini"
OpenOffice.org 2.0 --> MsiExec.exe /I{08D2F839-A9FD-4F5A-A529-D45FF6E238A3}
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Phun beta 3.12 --> "C:\Program Files\Phun\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
RocketFish Webcam --> C:\Program Files\InstallShield Installation Information\{9D2FCC5F-9B4A-4862-9584-1DD509DC3E08}\Setup.exe -runfromtemp -l0x0009 -removeonly -u
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Switch --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The GIMP 2.2.12 --> "C:\Program Files\GIMP-2.0\unins000.exe"
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
Toshiba Q4 Retail Demo ScreenSaver --> C:\WINDOWS\Toshiba Q4 Retail Demo.scr /U
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe"
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
Toshiba Tbiosdrv Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Tbiosdrv Driver\Tbiosdrv.isu"
Toshiba Touchpad Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA} /l1033
Toshiba Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{099D12EC-0321-4CAC-A0CC-33D020156FCD} /l1033
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\Setup.exe"
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe"
TurboTax 2005 --> C:\Program Files\TurboTax\TurboTax Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\TurboTax Deluxe 2005\Uninstall.log" -NoGui
TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\common\YINSTH~1.DLL


-- Application Event Log -------------------------------------------------------

Event Record #/Type4574 / Warning
Event Submitted/Written: 05/03/2008 11:37:55 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type4573 / Warning
Event Submitted/Written: 05/03/2008 11:37:55 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 800401E4.

Event Record #/Type4572 / Warning
Event Submitted/Written: 05/03/2008 11:37:55 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type4571 / Warning
Event Submitted/Written: 05/03/2008 11:37:55 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 800401E4.

Event Record #/Type4570 / Warning
Event Submitted/Written: 05/03/2008 11:37:55 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18481 / Error
Event Submitted/Written: 05/04/2008 08:43:43 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type18480 / Error
Event Submitted/Written: 05/04/2008 08:28:02 AM / 05/04/2008 08:28:03 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type18479 / Error
Event Submitted/Written: 05/04/2008 08:27:58 AM / 05/04/2008 08:28:03 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type18478 / Error
Event Submitted/Written: 05/04/2008 08:15:16 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type18477 / Error
Event Submitted/Written: 05/04/2008 08:15:11 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-05-04 08:48:55 ------------



...AND THE MAIN.TXT
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-04 08:46:33
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
97: 2008-04-27 23:14:39 UTC - RP593 - Last known good configuration
96: 2008-04-27 23:14:17 UTC - RP592 - System Checkpoint
95: 2008-04-27 23:14:17 UTC - RP591 - System Checkpoint
94: 2008-04-27 23:14:17 UTC - RP590 - System Checkpoint
93: 2008-04-27 23:14:17 UTC - RP589 - System Checkpoint


-- First Restore Point --
1: 2008-04-27 23:13:50 UTC - RP497 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 191 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-04 08:48:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicr...s/?hjtver=2.0.2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar5.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202624207765
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Swupdtmr - Unknown owner - C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 7745 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - fghetygndf.exe %1
.ini - inifile - shell\open\command - fghetygndf.exe %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.reg - regfile - shell\edit\command - fghetygndf.exe %1
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - fghetygndf.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>
R3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta Mouse Filter Device Driver>

S2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
S2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
S2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
S2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
S3 SNP2STD (USB2.0 PC Camera (SNP2STD)) - c:\windows\system32\drivers\snp2sxp.sys <Not Verified; ; USB2.0 PC Camera driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
S2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
S2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
S4 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; C-Dilla Ltd; SafeCast Windows NT>
S4 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
S4 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-04 and 2008-05-04 -----------------------------

2008-05-04 07:59:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-04 07:59:46 0 d-------- C:\Program Files\MBAnti-Malware
2008-05-04 07:59:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 23:43:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-03 23:25:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-29 22:28:07 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 22:28:06 68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 22:28:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 22:28:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 22:28:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 22:28:06 98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 22:28:06 80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 22:28:06 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 21:39:15 0 d-------- C:\WINDOWS\ERUNT
2008-04-29 07:37:31 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-27 19:56:20 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-27 19:56:20 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-27 19:56:20 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-27 19:56:20 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-27 19:56:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-27 19:56:20 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-27 19:56:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-27 19:56:16 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-04-29 22:09:27 0 d-------- C:\Program Files\Common Files
2008-04-27 16:37:57 24576 --a------ C:\WINDOWS\system32\userinit.exe
2008-03-11 08:32:45 0 d-------- C:\Program Files\Phun
2008-03-08 21:47:49 0 d-------- C:\Program Files\MediaCoder
2008-03-04 20:13:01 0 d-------- C:\Program Files\Inkscape
2008-02-09 22:26:46 112128 -r-h----- C:\WINDOWS\CdaC14BA.DLL
2008-02-09 22:26:45 30720 -r-h----- C:\WINDOWS\CdaC13BA.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 05:33 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [10/08/2004 02:44 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [10/08/2004 02:43 PM]
"NDSTray.exe"="NDSTray.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [12/10/2003 04:52 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/22/2005 12:47 PM]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [11/29/2006 02:11 AM]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [09/14/2006 11:21 PM]
"CFSServ.exe"="CFSServ.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [12/30/2004 12:32 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tommy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Tommy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
"c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)

*Newly Created Service* - CATCHME
*Newly Created Service* - MBAMCATCHME



-- End of Deckard's System Scanner: finished at 2008-05-04 08:48:55 ------------




4.new log from hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:48 AM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
E:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicr...s/?hjtver=2.0.2
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202624207765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5796 bytes

#14 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 05 May 2008 - 09:05 AM

Hello milkman

:Fix file associations with DSS:

Make sure DSS.exe is on your Desktop
Next press Start->Run,
copy/paste the following command into the box and press OK:

"%userprofile%\desktop\dss.exe" /daft


Press OK to the disclaimer(s) and then press Scan
Place checkmarks in all the boxes that appear and press Fix
Then close Deckard's System Scanner

let me know if this helped at all

then give me another scan with DSS


Gringo

#15 milkman0

milkman0

    Authentic Member

  • Authentic Member
  • PipPip
  • 27 posts

Posted 05 May 2008 - 11:23 PM

Here is the updated DSS log. After running the command you sent and fixing the files, I tried booting into Windows normally and still was seeing the same issues.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-05 22:05:49
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

Total Physical Memory: 191 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:05 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MBAnti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicr...s/?hjtver=2.0.2
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202624207765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5977 bytes

-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-04 07:59:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-04 07:59:46 0 d-------- C:\Program Files\MBAnti-Malware
2008-05-04 07:59:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 23:43:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-03 23:25:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-29 22:28:07 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 22:28:06 68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 22:28:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 22:28:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 22:28:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 22:28:06 98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 22:28:06 80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 22:28:06 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 21:39:15 0 d-------- C:\WINDOWS\ERUNT
2008-04-29 07:37:31 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-27 19:56:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-27 19:56:20 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-27 19:56:20 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-27 19:56:20 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-27 19:56:20 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-27 19:56:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-27 19:56:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-27 19:56:20 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-27 19:56:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-27 19:56:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-27 19:56:16 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-04-29 22:09:27 0 d-------- C:\Program Files\Common Files
2008-04-27 16:37:57 24576 --a------ C:\WINDOWS\system32\userinit.exe
2008-03-11 08:32:45 0 d-------- C:\Program Files\Phun
2008-03-08 21:47:49 0 d-------- C:\Program Files\MediaCoder
2008-02-09 22:26:46 112128 -r-h----- C:\WINDOWS\CdaC14BA.DLL
2008-02-09 22:26:45 30720 -r-h----- C:\WINDOWS\CdaC13BA.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 05:33 AM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [10/08/2004 02:44 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [10/08/2004 02:43 PM]
"NDSTray.exe"="NDSTray.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 09:26 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [12/10/2003 04:52 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/22/2005 12:47 PM]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [11/29/2006 02:11 AM]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [09/14/2006 11:21 PM]
"CFSServ.exe"="CFSServ.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [12/30/2004 12:32 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tommy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Tommy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
"c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-05-05 22:07:31 ------------

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users