Author Topic: Infected laptop (Read 58814 times)

SuperDave · « **on:** March 26, 2008, 07:49:02 AM »

I just purchased a new Toshiba laptop running Vista Home, 200 gb HDD with 2 gb Ram. It's an AMD Turion 64 x 2 Mobile Technology TL-60. It has Norton Internet Security. When I went on-line to find some other Anti-spyware and anti-malware programs I got infected. I tried to clean it using C Cleaner, Spybot S&D SpywareBlaster. I get these pop-ups from Security System warning. C:Windows\WML.exe Abebot spyware infection. It asks me to click next to fix the problem and it takes me to PC-Antispyware website where it wants to sell me a program to fix this. It tells me there are 56 spyware found but it will cost dollars to fix. I have a MS firewall and Windows Defender on. Spybot was able to clean 5 items. The I get a message that Trojandownloader.xs is present. So I boot in safe mode and ran all my scans to no avail. Stopzilla found 79 problems but they also want dollars to repair. I then tried 1,2,3,Spyware Free which found corrected? 3 problems. Next I tried SuperAntiSpyware which is recommended in this forum and It also corrected some problems but I'm still getting the Security warning. Here is the Hijack this log:

[recovering space - attachment deleted by admin]

evilfantasy · « **Reply #1 on:** March 26, 2008, 01:17:02 PM »

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please copy and paste the log into your next reply

Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt

.
----------

Create An Uninstall List

Start HijackThis
Click on the Open the Misc Tools section
Click on the Open Uninstall Manager button.
Click on the Save list button and specify where you would like to save this file and click Save.
- When you press Save button a notepad will open with the contents of that file.
Copy and paste that list in your reply.

.
----------

Now run a new Hijackthis scan and post that log also.

----------

Next post
MBAM log
Uninstall list
NEW Hijackthis log

SuperDave · « **Reply #2 on:** March 26, 2008, 03:15:37 PM »

Uninstall log

[recovering space - attachment deleted by admin]

SuperDave · « **Reply #3 on:** March 26, 2008, 03:18:49 PM »

Sorry, it's too long to attach.
Logfile of HijackThis v1.99.1
Scan saved at 4:39:08 PM, on 26/03/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\System32\jshalgvu.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://exclusive.aliant.net/home.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shoptoshiba.ca/welcome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shoptoshiba.ca/welcome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

SuperDave · « **Reply #4 on:** March 26, 2008, 03:19:48 PM »

2 nd part
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [gaiembcv] C:\Windows\system32\jshalgvu.exe
O4 - HKCU\..\Run: [ngrmrzkm] C:\Windows\system32\hotwdkfg.exe
O4 - HKCU\..\Run: [eucpwsvr] C:\Windows\system32\lqjsxmde.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1206060701_43f06474ffcffb2dab6406fb89c3ab46&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

SuperDave · « **Reply #5 on:** March 26, 2008, 03:23:40 PM »

Sorry, this is the only way I can post this log. It's saved somewhere on my laptop but I can't find it. Vista has to be the most unfriendly program I've ever encountered. I'm still getting the pop-ups for PC Antispyware site.
Malwarebytes' Anti-Malware 1.09
Database version: 551

Scan type: Quick Scan
Objects scanned: 29948
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{10f0c2a9-8e38-43e3-204d-45524c494e20} (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10f0c2a9-8e38-43e3-204d-45524c494e20} (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Antispyware (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qvdntlmw.bfxa (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qvdntlmw.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fvbuegva (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Dave's computer\AppData\Roaming\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Antispyware (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
C:\Windows\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\izklcjkr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Dave's computer\AppData\Roaming\PC-Cleaner\log.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Users\Dave's computer\AppData\Roaming\PC-Cleaner\settings.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Antispyware\PopupBlocker.dll (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
C:\Windows\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Windows\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.

evilfantasy · « **Reply #6 on:** March 26, 2008, 03:30:26 PM »

Go to add/remove programs and uninstall:
123 Spyware Free
Java(TM) 6 Update 2

----------

MBAM removed a bunch of PC-Antispyware entries, you are still getting Popups from it?

Please run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan
Note: It may take a couple of minutes

When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report in the next reply.

.
Important note: You will see the option to Disinfect my PC on the green button in the bottom of the window.
This only works if you buy the full version. There is no need to pay to remove anything, they can be removed with free programs.
It is of however your choice.

Next post please add
Panda scan log

SuperDave · « **Reply #7 on:** March 26, 2008, 05:21:03 PM »

Evil, I haven't seen any more pop-ups since I uninstalled those programs but when I go on the Panda site and click scan now I just get a blank page. No error, just a blank page. I can see that page on my pc but not on my laptop. Is there another way to get there?

evilfantasy · « **Reply #8 on:** March 26, 2008, 05:46:00 PM »

Are you using Internet Explorer? It won't work in any other browser.

SuperDave · « **Reply #9 on:** March 26, 2008, 05:49:55 PM »

Yes, IE on both computers. Oh and by the way, I just turned around and there was another pop-up from PC Antispyware.

evilfantasy · « **Reply #10 on:** March 26, 2008, 05:55:34 PM »

Run MBAM again, this time do a Full Scan, not a quick scan.

Please post that log when it is finished.

SuperDave · « **Reply #11 on:** March 26, 2008, 06:08:16 PM »

I've already ran a full scan in regular mode and one in safe mode and they both came up empty but I'll run it again.
EDIT: I just received another pop-up saying something about Trojan-downloader.xs and I notice that there is a folder on my HDD called desktopvirii with 5 files entitled trojan-downloader.Win32 Agent .bl, Agent.p, Agent.r, Agent.t and Agent.v all dated March 24/08 at 4:20 pm.

SuperDave · « **Reply #12 on:** March 26, 2008, 06:39:09 PM »

Malwarebytes' Anti-Malware 1.09
Database version: 551

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 109592
Time elapsed: 23 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

evilfantasy · « **Reply #13 on:** March 26, 2008, 06:46:51 PM »

OK, lets run another tool.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
Finally add the contents of the Report.txt in your next post.

.
----------

Also please run a new Hijackthis scan and post that log as well.

SuperDave · « **Reply #14 on:** March 26, 2008, 07:11:32 PM »

Run this.bat won't run. Is this because I'm running Vista?

evilfantasy · « **Reply #15 on:** March 26, 2008, 07:24:32 PM »

OK, we need to get something running here. Hopefully this is the one.

Please run the F-Secure Online Scanner

Note: This Scanner works with Internet Explorer Only!

Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click

Cancel, then New Scan[/list]

When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post.

If needed go to Start > Run > type Notepad.exe then press OK.
Paste the log into Notepad and save it to the desktop so it can easily be posted later.

This scan can take quite some time, so please be patient

Next post
F-Secure log

SuperDave · « **Reply #16 on:** March 26, 2008, 09:50:42 PM »

Scanning Report
Wednesday, March 26, 2008 22:40:14 - 00:48:43
Computer name: DAVE-LAPTOP
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 2 malware found
Downloader.Win32.UltimateFix (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 26833
System: 3864
Not scanned: 22
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\DAVE'S COMPUTER\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{8DF45552-A3FD-432E-A576-F9D559F826DF}
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\BOOT\BCD

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-03-27
F-Secure AVP: 7.0.171, 2008-03-27
F-Secure Pegasus: 1.20.0, 2008-02-26
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

evilfantasy · « **Reply #17 on:** March 26, 2008, 10:01:36 PM »

Quote

Disinfected: 0
Renamed: 0
Deleted: 0

You didn't have it clean the malware?

Run this scan, it will only take a few minutes. I may be able to find the files in here and we can delete them that way. You will probably need two posts for both logs.

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open
main.txt <- this one will be maximized
extra.txt <- this one will be minimized

Add the contents of main.txt in your post.
Also add extra.txt to your post.

The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

[/COLOR]
What DSS will do:

Create a new System Restore point in Windows XP and Vista.
Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

SuperDave · « **Reply #18 on:** March 27, 2008, 06:07:41 AM »

I ran the scan again and nothing was found. I'll try the other one now
Thursday, March 27, 2008 08:18:13 - 09:03:03
Computer name: DAVE-LAPTOP
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 26859
System: 3864
Not scanned: 22
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\DAVE'S COMPUTER\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{8DF45552-A3FD-432E-A576-F9D559F826DF}
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\ED80A482B1F410658B28B47EA513B454_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FCD3BCC382783D5142E645B139AA2D65_62BAC37C-8BF7-4A7C-BAC5-D89F18910D3E
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

--------------------------------------------------------------------------------

SuperDave · « **Reply #19 on:** March 27, 2008, 06:18:56 AM »

Deckard's System Scanner v20071014.68
Run by Dave's computer on 2008-03-27 09:10:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
25: 2008-03-27 06:01:42 UTC - RP128 - Windows Update
24: 2008-03-26 23:02:38 UTC - RP127 - Removed Java(TM) 6 Update 2
23: 2008-03-26 11:46:44 UTC - RP126 - Windows Update
22: 2008-03-26 01:54:11 UTC - RP125 - Installed SUPERAntiSpyware Free Edition
21: 2008-03-25 21:43:33 UTC - RP124 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.

-- First Restore Point --
1: 2008-03-20 17:29:17 UTC - RP102 - Windows Update

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Dave's computer.exe) -------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-27 09:13:28
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\System32\jshalgvu.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Downloaded Program Files\gatelauncher.exe
C:\Users\DAVE'S~1\AppData\Local\Temp\fsgk32.exe
C:\Users\DAVE'S~1\AppData\Local\Temp\fssm32.exe
C:\Users\Dave's computer\Desktop\dss.exe
C:\Windows\System32\conime.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://exclusive.aliant.net/home.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shoptoshiba.ca/welcome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

SuperDave · « **Reply #20 on:** March 27, 2008, 06:25:06 AM »

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [gaiembcv] C:\Windows\system32\jshalgvu.exe
O4 - HKCU\..\Run: [ngrmrzkm] C:\Windows\system32\hotwdkfg.exe
O4 - HKCU\..\Run: [eucpwsvr] C:\Windows\system32\lqjsxmde.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\microsoft shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\System32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\System32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9262 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe"%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 F-Secure Standalone Minifilter - \??\c:\users\dave's~1\appdata\local\temp\onlinescanner\anti-virus\fsgk.sys
R3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 rpcnet (Remote Procedure Call (RPC) Net) - c:\windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
R2 TNaviSrv (TOSHIBA Navi Support Service) - c:\program files\toshiba\toshiba dvd player\tnavisrv.exe <Not Verified; TOSHIBA Corporation; TOSHIBA DVD Player>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-21 21:28:47 508 --a------ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Dave's computer.job

SuperDave · « **Reply #21 on:** March 27, 2008, 06:28:01 AM »

-- Files created between 2008-02-27 and 2008-03-27 -----------------------------

2008-03-26 22:36:25 0 d-------- C:\fsaua.data
2008-03-26 21:00:33 0 d-------- C:\Program Files\vanBasco's Karaoke Player
2008-03-26 16:29:05 0 d-------- C:\Users\All Users\Malwarebytes
2008-03-26 16:29:05 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-26 10:53:52 0 d-------- C:\Users\Dave's computer\.housecall6.6
2008-03-26 10:53:20 0 d-------- C:\Windows\Sun
2008-03-25 22:55:14 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-25 22:54:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 16:28:00 0 d-------- C:\Users\All Users\SITEguard
2008-03-25 16:24:46 0 d-------- C:\Program Files\Common Files\iS3
2008-03-25 16:24:45 0 d-------- C:\Users\All Users\STOPzilla!
2008-03-25 13:52:31 98304 --a------ C:\Windows\system32\lqjsxmde.exe
2008-03-25 13:07:36 98304 --a------ C:\Windows\system32\hotwdkfg.exe
2008-03-25 09:40:53 0 d-------- C:\Program Files\CCleaner
2008-03-25 09:16:05 106496 --a------ C:\Windows\system32\jshalgvu.exe
2008-03-24 22:28:05 0 d-------- C:\Program Files\Lavasoft
2008-03-24 21:50:03 0 d-------- C:\Users\All Users\Lavasoft
2008-03-24 20:05:30 0 d-a------ C:\Users\All Users\TEMP
2008-03-24 20:05:27 0 d-------- C:\Program Files\SpywareBlaster
2008-03-24 17:45:23 691545 --a------ C:\Windows\unins000.exe
2008-03-24 17:45:23 2553 --a------ C:\Windows\unins000.dat
2008-03-24 17:36:02 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-24 16:20:45 4096 --a------ C:\Windows\userconfig9x.dll
2008-03-24 16:20:45 4096 --a------ C:\Windows\system32winlogonpc.exe
2008-03-24 16:20:45 4096 --a------ C:\Windows\system32taack.exe
2008-03-24 16:20:45 4096 --a------ C:\Windows\system32taack.dat
2008-03-24 16:20:45 4096 --a------ C:\Windows\system32sncntr.exe
2008-03-24 16:20:45 4096 --a------ C:\Windows\system32mwin32.exe
2008-03-24 16:20:45 4096 --a------ C:\Windows\system32hoproxy.dll
2008-03-24 16:20:45 4096 --a------ C:\Windows\FVProtect.exe
2008-03-24 16:20:45 4096 --a------ C:\Windows\a.bat
2008-03-24 16:20:44 4096 --a------ C:\Windows\winsystem.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32WINWGPX.EXE
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32winsystem.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32vcatchpi.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32vbsys2.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32thun32.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32thun.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32temp#01.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32sysreq.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32ssvchost.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32ssvchost.com
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32ssurf022.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32Rundl1.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32regm64.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32regc64.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32psoft1.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32psof1.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32ps1.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32newsd32.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32netode.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32mtr2.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32msvchost.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32mssecu.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32msnbho.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32msgp.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32medup020.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32medup012.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32hxiwlgpm.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32hxiwlgpm.dat
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32h@tkeysh@@k.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32emesx.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32dpcproxy.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32bsva-egihsg52.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32bdn.com
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32awtoolb.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32anticipator.dll
2008-03-24 16:20:44 4096 --a------ C:\Windows\system32akttzn.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\mssecu.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\iTunesMusic.exe
2008-03-24 16:20:44 4096 --a------ C:\Windows\bdn.com
2008-03-24 16:20:44 0 d-------- C:\Users\Dave's computer\Desktopvirii
2008-03-24 16:20:44 4096 --a------ C:\Users\Dave's computer\DesktopFWebdEditor.exe
2008-03-24 16:20:44 4096 --a------ C:\Users\Dave's computer\Desktopfwebd.exe
2008-03-24 16:20:44 4096 --a------ C:\Users\Dave's computer\Desktopfilemanagerclient.exe
2008-03-24 16:20:35 0 d-------- C:\Users\All Users\mjwvapap
2008-03-24 12:33:37 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-22 15:15:16 0 d-------- C:\New Folder
2008-03-21 02:26:50 0 d-------- C:\Program Files\Atheros
2008-03-21 02:26:36 0 d-------- C:\Users\All Users\Atheros
2008-03-21 02:26:30 77824 --a------ C:\Windows\system32\tosmreg.exe <Not Verified; Toshiba Corporation; Tosmreg>
2008-03-21 02:26:30 45056 --a------ C:\Windows\system32\csellang.dll
2008-03-21 02:26:30 491520 --a------ C:\Windows\system32\cselect.exe <Not Verified; Toshiba Corporation; toshiba cselect>

SuperDave · « **Reply #22 on:** March 27, 2008, 06:31:02 AM »

2008-03-21 02:26:30 45056 --a------ C:\Windows\system32\csellang.dll
2008-03-21 02:26:30 491520 --a------ C:\Windows\system32\cselect.exe <Not Verified; Toshiba Corporation; toshiba cselect>
2008-03-21 02:26:30 0 d-------- C:\Program Files\ltmoh
2008-03-21 02:26:08 0 d-------- C:\Windows\Options
2008-03-21 02:26:00 0 d-------- C:\Program Files\Synaptics
2008-03-21 02:25:25 0 d-------- C:\DOCS
2008-03-21 02:25:18 0 d-------- C:\Program Files\Toshiba Registration
2008-03-21 02:25:15 0 d-------- C:\Windows\Downloaded Installations
2008-03-21 02:25:14 0 d-------- C:\Program Files\OnlinePlay
2008-03-21 02:19:26 0 d--hs---- C:\System Volume Information
2008-03-21 00:11:44 0 d-------- C:\Program Files\Norton Internet Security
2008-03-21 00:10:26 0 d-------- C:\Program Files\Symantec
2008-03-21 00:10:24 0 d-------- C:\Users\All Users\Symantec
2008-03-21 00:10:02 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-20 23:53:44 0 d-------- C:\Program Files\Camera Assistant Software for Toshiba
2008-03-20 23:53:06 0 d-------- C:\Program Files\Common Files\Toshiba Shared
2008-03-20 23:49:54 0 dr------- C:\Users\Dave's computer\Searches
2008-03-20 23:49:41 0 dr------- C:\Users\Dave's computer\Contacts
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\Templates
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\Start Menu
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\SendTo
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\Recent
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\PrintHood
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\NetHood
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\My Documents
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\Local Settings
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\Cookies
2008-03-20 23:49:34 0 d--hs---- C:\Users\Dave's computer\Application Data
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Videos
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Saved Games
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Pictures
2008-03-20 23:49:33 2883584 --ahs---- C:\Users\Dave's computer\NTUSER.DAT
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Music
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Links
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Favorites
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Downloads
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Documents
2008-03-20 23:49:33 0 dr------- C:\Users\Dave's computer\Desktop
2008-03-20 23:49:33 0 d--h----- C:\Users\Dave's computer\AppData
2008-03-20 23:43:40 0 d-------- C:\Windows\SoftwareDistribution
2008-03-20 21:48:46 90112 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-03-20 21:48:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 21:48:30 0 d-------- C:\Psfonts
2008-03-20 21:47:34 0 d-------- C:\Program Files\Finale 2006
2008-03-20 21:34:32 0 d-------- C:\Program Files\coolpro2
2008-03-20 14:39:26 47104 --a------ C:\Windows\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-03-20 14:38:57 47104 --a------ C:\Windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>

-- Find3M Report ---------------------------------------------------------------

2008-03-26 22:32:36 17408 --a------ C:\Windows\system32\rpcnetp.exe
2008-03-26 22:32:32 17408 --a------ C:\Windows\system32\rpcnetp.dll
2008-03-26 20:03:29 0 d-------- C:\Program Files\Java
2008-03-26 16:29:08 0 d-------- C:\Users\Dave's computer\AppData\Roaming\Malwarebytes
2008-03-25 22:54:28 0 d-------- C:\Users\Dave's computer\AppData\Roaming\SUPERAntiSpyware.com
2008-03-25 18:35:02 0 d-------- C:\Users\Dave's computer\AppData\Roaming\Adobe
2008-03-25 16:24:46 0 d-------- C:\Program Files\Common Files
2008-03-23 15:23:14 0 d-------- C:\Users\Dave's computer\AppData\Roaming\Macromedia
2008-03-22 15:44:40 31007 --a------ C:\Users\Dave's computer\AppData\Roaming\UserTile.png
2008-03-22 15:44:40 0 d-------- C:\Users\Dave's computer\AppData\Roaming\PeerNetworking
2008-03-21 15:06:23 174 --ahs---- C:\Program Files\desktop.ini
2008-03-21 14:59:47 0 d-------- C:\Program Files\Windows Calendar
2008-03-21 14:59:39 0 d-------- C:\Program Files\Windows Mail
2008-03-21 14:59:35 0 d-------- C:\Program Files\Windows Sidebar
2008-03-21 14:14:52 0 d-------- C:\Program Files\Microsoft SQL Server
2008-03-20 23:53:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-20 23:53:06 0 d-------- C:\Program Files\Toshiba
2008-03-20 23:52:14 0 d-------- C:\Users\Dave's computer\AppData\Roaming\InstallShield
2008-03-20 23:50:33 0 d-------- C:\Users\Dave's computer\AppData\Roaming\ATI
2008-03-20 23:49:44 0 d-------- C:\Users\Dave's computer\AppData\Roaming\Identities
2008-03-20 21:36:40 0 d-------- C:\Users\Dave's computer\AppData\Roaming\Syntrillium
2008-03-20 15:38:09 0 d-------- C:\Users\Dave's computer\AppData\Roaming\Ulead Systems
2008-03-20 15:27:10 0 d-------- C:\Users\Dave's computer\AppData\Roaming\toshiba

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [23/08/2007 03:44 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 04:35 PM]
"RtHDVCpl"="RtHDVCpl.exe" [09/08/2007 08:26 AM C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 07:06 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [15/08/2007 04:31 AM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [09/01/2007 03:23 AM]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [29/03/2007 10:39 AM]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07/12/2006 04:49 PM]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [15/06/2007 09:01 PM]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [22/05/2007 04:32 PM]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [22/05/2007 10:50 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [24/10/2006 07:08 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [26/10/2006 09:18 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29/01/2008 05:38 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SuperDave · « **Reply #23 on:** March 27, 2008, 06:31:55 AM »

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [21/03/2008 02:03 PM]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [18/05/2007 07:43 AM]
"gaiembcv"="C:\Windows\system32\jshalgvu.exe" [25/03/2008 09:16 AM]
"ngrmrzkm"="C:\Windows\system32\hotwdkfg.exe" [25/03/2008 01:07 PM]
"eucpwsvr"="C:\Windows\system32\lqjsxmde.exe" [25/03/2008 01:52 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/02/2008 04:03 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted   hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - COMHOST
*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- Hosts -----------------------------------------------------------------------

127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   010402.com
127.0.0.1   www.032439.com
127.0.0.1   032439.com
127.0.0.1   www.1001-search.info
127.0.0.1   1001-search.info
127.0.0.1   www.100888290cs.com
127.0.0.1   100888290cs.com
127.0.0.1   www.100sexlinks.com

7934 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-03-27 09:15:06 ------------

SuperDave · « **Reply #24 on:** March 27, 2008, 06:34:02 AM »

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: AMD Turion(tm) 64 X2 Mobile Technology TL-60
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 1917.44 MiB / 933.83 MiB
Pagefile Memory (total/avail): 4072.06 MiB / 2626.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924 MiB

C: is Fixed (NTFS) - 173.27 GiB total, 130.34 GiB free.
D: is Fixed (NTFS) - 6.01 GiB total, 5.84 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK2046GSX ATA Device - 186.31 GiB - 4 partitions
  \PARTITION0 - Unknown - 1500 MiB
  \PARTITION1 (bootable) - Installable File System - 173.27 GiB - C:
  \PARTITION2 - Installable File System - 6.01 GiB - D:
  \PARTITION3 - Unknown - 5.56 GiB

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: SUPERAntiSpyware v4, 0, 0, 1154 (SUPERAntiSpyware.com)
AS: Norton Internet Security v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Dave's computer\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAVE-LAPTOP
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HKCU_S=\REGISTRY\CUSER\Software
HKLM_S=\REGISTRY\MACHINE\Software
HOMEDRIVE=C:
HOMEPATH=\Users\Dave's computer
LOCALAPPDATA=C:\Users\Dave's computer\AppData\Local
LOGONSERVER=\\DAVE-LAPTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;C:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 104 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6802
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\DAVE'S~1\AppData\Local\Temp
TMP=C:\Users\DAVE'S~1\AppData\Local\Temp
USERDOMAIN=Dave-laptop
USERNAME=Dave's computer
USERPROFILE=C:\Users\Dave's computer
windir=C:\Windows

SuperDave · « **Reply #25 on:** March 27, 2008, 06:35:57 AM »

-- User Profiles ---------------------------------------------------------------

Dave's computer (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe" --u:{A644254B-92F6-4970-8635-AB0775371E72}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{622E6F16-0904-49B6-BBE1-4CC836314CCF}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{697AFC77-F318-4CD4-BF16-F50F4C1072DA}\setup.exe" -l0x9
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Atheros Driver Installation Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9 -removeonly
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Business Contact Manager for Outlook 2007 SP1 --> "C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
Business Contact Manager for Outlook 2007 SP1 --> MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
Camera Assistant Software for Toshiba --> C:\Program Files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\SETUP.exe -runfromtemp -l0x0009
Catalyst Control Center - Branding --> MsiExec.exe /I{22543949-70E8-45D0-A938-F38143EB8BF8}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD/DVD Drive Acoustic Silencer --> C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\SETUP.exe -runfromtemp -l0x0009 -removeonly
Cool Edit Pro 2.0 --> C:\Program Files\coolpro2\cep2unin.exe
DVD MovieFactory for TOSHIBA --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}\SETUP.EXE" -l0x9
Finale 2006 --> C:\Windows\unvise32.exe C:\Program Files\Finale 2006\uninstal.log
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies --> MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_1_0_26\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
OnlinePlay 1.0 --> C:\Program Files\OnlinePlay\uninst.exe
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.exe" -l0x9 -removeonly
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\SETUP.EXE" -l0x9 anything
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy 1.5.2.20 --> "C:\Windows\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TOSHIBA Assist --> C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\SETUP.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA ConfigFree --> C:\Program Files\InstallShield Installation Information\{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}\setup.exe -runfromtemp -l0x0009 uninstall
TOSHIBA Disc Creator --> MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA DVD PLAYER --> C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
TOSHIBA Extended Tiles for Windows Mobility Center --> C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\SETUP.EXE -runfromtemp -l0x0409
TOSHIBA Hardware Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BFC85CDC-BD7C-4FDD-9507-8D74B5A79404}\setup.exe" -l0x9
TOSHIBA Recovery Disc Creator --> MsiExec.exe /X{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}
Toshiba Registration --> MsiExec.exe /I{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}
TOSHIBA SD Memory Utilities --> MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BDF38E0-1A7F-4220-B4B7-118DD45E5E13}\setup.exe" -l0x9
TOSHIBA Value Added Package --> C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x0409
vanBasco's Karaoke Player --> C:\Program Files\vanBasco's Karaoke Player\uninst.exe
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

SuperDave · « **Reply #26 on:** March 27, 2008, 06:36:47 AM »

-- Application Event Log -------------------------------------------------------

Event Record #/Type2782 / Error
Event Submitted/Written: 03/26/2008 10:32:37 PM
Event ID/Source: 5007 / WerSvc
Event Description:
The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.

Event Record #/Type2780 / Success
Event Submitted/Written: 03/26/2008 10:32:33 PM
Event ID/Source: 5617 / WinMgmt
Event Description:

Event Record #/Type2779 / Success
Event Submitted/Written: 03/26/2008 10:32:32 PM
Event ID/Source: 5615 / WinMgmt
Event Description:

Event Record #/Type2775 / Warning
Event Submitted/Written: 03/26/2008 10:32:32 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Event Record #/Type2770 / Success
Event Submitted/Written: 03/26/2008 10:31:56 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type12912 / Warning
Event Submitted/Written: 03/27/2008 09:14:12 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

For more information please see the following:
%Dave-laptop275

   Scan ID: {3058924D-3489-4BA1-9881-7AB323922195}

   User: Dave-laptop\Dave's computer

   Name: %Dave-laptop271

   ID: %Dave-laptop272

   Severity ID: %Dave-laptop273

   Category ID: %Dave-laptop274

   Path Found: %Dave-laptop276

   Alert Type: %Dave-laptop278

   Detection Type: 1.1.1505.02

Event Record #/Type12911 / Warning
Event Submitted/Written: 03/27/2008 09:14:12 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

For more information please see the following:
%Dave-laptop275

   Scan ID: {D2580365-694E-4198-A6EF-7377C6E76E56}

   User: Dave-laptop\Dave's computer

   Name: %Dave-laptop271

   ID: %Dave-laptop272

   Severity ID: %Dave-laptop273

   Category ID: %Dave-laptop274

   Path Found: %Dave-laptop276

   Alert Type: %Dave-laptop278

   Detection Type: 1.1.1505.02

Event Record #/Type12910 / Warning
Event Submitted/Written: 03/27/2008 09:14:10 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

For more information please see the following:
%Dave-laptop275

   Scan ID: {9190B177-6561-49C0-8B97-A7824C220668}

   User: Dave-laptop\Dave's computer

   Name: %Dave-laptop271

   ID: %Dave-laptop272

   Severity ID: %Dave-laptop273

   Category ID: %Dave-laptop274

   Path Found: %Dave-laptop276

   Alert Type: %Dave-laptop278

   Detection Type: 1.1.1505.02

Event Record #/Type12909 / Warning
Event Submitted/Written: 03/27/2008 09:14:09 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

For more information please see the following:
%Dave-laptop275

   Scan ID: {0C2BAD20-6B89-4CDA-81EA-1E607C84C395}

   User: Dave-laptop\Dave's computer

   Name: %Dave-laptop271

   ID: %Dave-laptop272

   Severity ID: %Dave-laptop273

   Category ID: %Dave-laptop274

   Path Found: %Dave-laptop276

   Alert Type: %Dave-laptop278

   Detection Type: 1.1.1505.02

Event Record #/Type12908 / Warning
Event Submitted/Written: 03/27/2008 09:14:09 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Dave-laptop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Dave-laptop27 can't undo changes that you allow.

For more information please see the following:
%Dave-laptop275

   Scan ID: {58FFEA37-4BEF-40DE-A762-FBA9C3AC80E9}

   User: Dave-laptop\Dave's computer

   Name: %Dave-laptop271

   ID: %Dave-laptop272

   Severity ID: %Dave-laptop273

   Category ID: %Dave-laptop274

   Path Found: %Dave-laptop276

   Alert Type: %Dave-laptop278

   Detection Type: 1.1.1505.02

-- End of Deckard's System Scanner: finished at 2008-03-27 09:15:06 ------------

evilfantasy · « **Reply #27 on:** March 27, 2008, 11:20:07 AM »

OK, I know why we have been struggling. The Deckards log was very revealing. I need you to consider the below statements before we continue. Normally I would go ahead with cleaning at this point but the amount of infected files on this PC along with the severity of the damage they are capable of is severe. There are steps that need to be taken by you, especially if you do any banking or transactions of any sort online. (ebay, paypal, credit cards, etc.)

Your computer is infected by at least one Keylogger and various Backdoor Trojans and Worms. Please read all of this carefully.

Backdoor Trojans, IRCBots, worms and rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use Backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

When should I re-format? How should I reinstall?.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards or that the removal will be successful.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.

SuperDave · « **Reply #28 on:** March 27, 2008, 12:32:40 PM »

I just purchased this computer about 2 weeks ago and the trial period runs out April 2/08. There is nothing personal except for a password to get on this forum. I was just loading some programs on it that I wish to use later on. As you possibly can assume, I don't have any disks so re-format is a remote possibility. If I can't get it cleaned, I'll return it.

evilfantasy · « **Reply #29 on:** March 27, 2008, 12:43:58 PM »

I will work up a fix, but first we need to run another tool. It is a quick scan and the instructions are very important to be followed exactly. Please read through them before starting.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

In the event you already have Combofix, please delete it as this is a new version.

Very important You need to rename Combofix.exe as you download it.
Please rename it to cf.exe
It is very important that you save the newly renamed EXE file directly to your Desktop.

You must rename Combofixe.exe as you download it and not after it is on your computer.

You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it.

Open Firefox
- Click Tools > Options > Main
- Under the downloads section check the button that says Always ask me where to save files
- Click OK
For Internet Explorer:
- Choose to Save, not Open the file.
- When prompted save the file to your Desktop, and rename it cf.exe

Important! Combofix MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click on the renamed combofix.exe and follow the prompts.
- - From the keyboard select 1 and press Enter[/color]
  - When finished, it will produce a log for you.
  - Post that log in your next reply.
  Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
  - If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  - Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
  If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly. Still be sure to rename combofix as detailed above.
  
  ----------
  
  Next post
  Combofix log

SuperDave · « **Reply #30 on:** March 27, 2008, 01:10:52 PM »

ComboFix 08-03-26.3 - Dave's computer 2008-03-27 16:01:33.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1150 [GMT -3:00]
Running from: C:\Users\Dave's computer\Desktop\CF.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 18:51   ---------   d---a-w   C:\ProgramData\TEMP
2008-03-27 18:39   ---------   d-----w   C:\ProgramData\Symantec
2008-03-27 15:41   47,104   ----a-w   C:\Windows\System32\rpcnet.dll
2008-03-27 15:41   17,408   ----a-w   C:\Windows\System32\rpcnetp.exe
2008-03-27 15:38   ---------   d-----w   C:\Program Files\Ahead
2008-03-27 15:12   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-03-27 01:32   17,408   ----a-w   C:\Windows\System32\rpcnetp.dll
2008-03-27 00:44   ---------   d-----w   C:\Program Files\vanBasco's Karaoke Player
2008-03-26 23:03   ---------   d-----w   C:\Program Files\Java
2008-03-26 21:25   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-03-26 19:29   ---------   d-----w   C:\Users\Dave's computer\AppData\Roaming\Malwarebytes
2008-03-26 19:29   ---------   d-----w   C:\ProgramData\Malwarebytes
2008-03-26 19:29   ---------   d-----w   C:\Program Files\Malwarebytes' Anti-Malware
2008-03-26 18:47   ---------   d-----w   C:\ProgramData\Spybot - Search & Destroy
2008-03-26 13:54   102,664   ----a-w   C:\Windows\system32\drivers\tmcomm.sys
2008-03-26 11:45   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2008-03-26 01:55   ---------   d-----w   C:\ProgramData\SUPERAntiSpyware.com
2008-03-26 01:54   ---------   d-----w   C:\Users\Dave's computer\AppData\Roaming\SUPERAntiSpyware.com
2008-03-26 01:53   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 21:44   ---------   d-----w   C:\ProgramData\STOPzilla!
2008-03-25 20:30   ---------   d-----w   C:\ProgramData\SITEguard
2008-03-25 19:29   ---------   d-----w   C:\ProgramData\mjwvapap
2008-03-25 19:24   ---------   d-----w   C:\Program Files\Common Files\iS3
2008-03-25 16:52   98,304   ----a-w   C:\Windows\System32\lqjsxmde.exe
2008-03-25 16:07   98,304   ----a-w   C:\Windows\System32\hotwdkfg.exe
2008-03-25 12:40   ---------   d-----w   C:\Program Files\CCleaner
2008-03-25 12:16   106,496   ----a-w   C:\Windows\System32\jshalgvu.exe
2008-03-25 01:28   ---------   d-----w   C:\ProgramData\Lavasoft
2008-03-25 01:28   ---------   d-----w   C:\Program Files\Lavasoft
2008-03-24 23:05   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-03-24 15:33   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2008-03-23 18:10   ---------   d-----w   C:\ProgramData\Microsoft Help
2008-03-22 18:44   ---------   d-----w   C:\Users\Dave's computer\AppData\Roaming\PeerNetworking
2008-03-22 18:16   ---------   d-----w   C:\Program Files\Finale 2006
2008-03-21 18:06   174   --sha-w   C:\Program Files\desktop.ini
2008-03-21 17:59   ---------   d-----w   C:\Program Files\Windows Sidebar
2008-03-21 17:59   ---------   d-----w   C:\Program Files\Windows Mail
2008-03-21 17:59   ---------   d-----w   C:\Program Files\Windows Calendar
2008-03-21 17:26   67,584   ----a-w   C:\Windows\System32\wlanhlp.dll
2008-03-21 17:26   542,720   ----a-w   C:\Windows\System32\sysmain.dll
2008-03-21 17:26   502,784   ----a-w   C:\Windows\System32\wlansvc.dll
2008-03-21 17:26   47,104   ----a-w   C:\Windows\System32\wlanapi.dll
2008-03-21 17:26   299,008   ----a-w   C:\Windows\System32\wlansec.dll
2008-03-21 17:26   289,280   ----a-w   C:\Windows\System32\wlanmsm.dll
2008-03-21 17:26   2,923,520   ----a-w   C:\Windows\explorer.exe
2008-03-21 17:25   194,560   ----a-w   C:\Windows\System32\WebClnt.dll
2008-03-21 17:25   110,080   ----a-w   C:\Windows\system32\drivers\mrxdav.sys
2008-03-21 17:23   613,888   ----a-w   C:\Windows\System32\wpd_ci.dll
2008-03-21 17:23   224,824   ----a-w   C:\Windows\System32\clfs.sys
2008-03-21 17:23   19,456   ----a-w   C:\Windows\System32\cfgmgr32.dll
2008-03-21 17:20   41,984   ----a-w   C:\Windows\system32\drivers\monitor.sys
2008-03-21 17:20   1,060,920   ----a-w   C:\Windows\system32\drivers\ntfs.sys
2008-03-21 17:14   ---------   d-----w   C:\Program Files\Microsoft SQL Server
2008-03-21 17:10   45,112   ----a-w   C:\Windows\system32\drivers\pciidex.sys
2008-03-21 17:10   3,504,696   ----a-w   C:\Windows\System32\ntkrnlpa.exe
2008-03-21 17:10   3,470,392   ----a-w   C:\Windows\System32\ntoskrnl.exe
2008-03-21 17:10   211,000   ----a-w   C:\Windows\system32\drivers\volsnap.sys
2008-03-21 17:10   21,560   ----a-w   C:\Windows\system32\drivers\atapi.sys
2008-03-21 17:10   154,624   ----a-w   C:\Windows\system32\drivers\nwifi.sys
2008-03-21 17:10   15,928   ----a-w   C:\Windows\system32\drivers\pciide.sys
2008-03-21 17:10   109,624   ----a-w   C:\Windows\system32\drivers\ataport.sys

SuperDave · « **Reply #31 on:** March 27, 2008, 01:12:14 PM »

2008-03-21 17:10   1,191,936   ----a-w   C:\Windows\System32\msxml3.dll
2008-03-21 17:09   8,704   ----a-w   C:\Windows\System32\hcrstco.dll
2008-03-21 17:09   8,704   ----a-w   C:\Windows\System32\hccoin.dll
2008-03-21 17:09   73,216   ----a-w   C:\Windows\system32\drivers\usbccgp.sys
2008-03-21 17:09   5,888   ----a-w   C:\Windows\system32\drivers\usbd.sys
2008-03-21 17:09   38,400   ----a-w   C:\Windows\system32\drivers\usbehci.sys
2008-03-21 17:09   224,768   ----a-w   C:\Windows\system32\drivers\usbport.sys
2008-03-21 17:09   193,536   ----a-w   C:\Windows\system32\drivers\usbhub.sys
2008-03-21 17:09   19,456   ----a-w   C:\Windows\system32\drivers\usbohci.sys
2008-03-21 17:08   803,328   ----a-w   C:\Windows\system32\drivers\tcpip.sys
2008-03-21 17:08   24,064   ----a-w   C:\Windows\System32\netcfg.exe
2008-03-21 17:08   22,016   ----a-w   C:\Windows\System32\netiougc.exe
2008-03-21 17:08   216,632   ----a-w   C:\Windows\system32\drivers\netio.sys
2008-03-21 17:08   167,424   ----a-w   C:\Windows\System32\tcpipcfg.dll
2008-03-21 17:08   1,327,104   ----a-w   C:\Windows\System32\quartz.dll
2008-03-21 17:07   9,728   ----a-w   C:\Windows\System32\LAPRXY.DLL
2008-03-21 17:07   57,856   ----a-w   C:\Windows\System32\SLUINotify.dll
2008-03-21 17:07   566,784   ----a-w   C:\Windows\System32\SLCommDlg.dll
2008-03-21 17:07   39,936   ----a-w   C:\Windows\System32\slcinst.dll
2008-03-21 17:07   351,232   ----a-w   C:\Windows\System32\SLUI.exe
2008-03-21 17:07   33,280   ----a-w   C:\Windows\System32\slwmi.dll
2008-03-21 17:07   268,288   ----a-w   C:\Windows\System32\mcbuilder.exe
2008-03-21 17:07   223,232   ----a-w   C:\Windows\System32\WMASF.DLL
2008-03-21 17:07   223,232   ----a-w   C:\Windows\System32\SLC.dll
2008-03-21 17:07   2,605,568   ----a-w   C:\Windows\System32\SLsvc.exe
2008-03-21 17:07   186,368   ----a-w   C:\Windows\System32\SLLUA.exe
2008-03-21 17:06   1,335,296   ----a-w   C:\Windows\System32\msxml6.dll
2008-03-21 17:04   84,480   ----a-w   C:\Windows\System32\INETRES.dll
2008-03-21 17:04   737,792   ----a-w   C:\Windows\System32\inetcomm.dll
2008-03-21 17:04   537,600   ----a-w   C:\Windows\AppPatch\AcLayers.dll
2008-03-21 17:04   449,536   ----a-w   C:\Windows\AppPatch\AcSpecfc.dll
2008-03-21 17:04   4,247,552   ----a-w   C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-21 17:04   2,144,256   ----a-w   C:\Windows\AppPatch\AcGenral.dll
2008-03-21 17:04   173,056   ----a-w   C:\Windows\AppPatch\AcXtrnal.dll
2008-03-21 17:04   1,686,528   ----a-w   C:\Windows\System32\gameux.dll
2008-03-21 17:03   11,776   ----a-w   C:\Windows\System32\sbunattend.exe
2008-03-21 17:02   84,992   ----a-w   C:\Windows\system32\drivers\srvnet.sys
2008-03-21 17:02   788,992   ----a-w   C:\Windows\System32\rpcrt4.dll
2008-03-21 17:02   58,368   ----a-w   C:\Windows\system32\drivers\mrxsmb20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-21 14:03 1232896]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 07:43 430080]
"gaiembcv"="C:\Windows\system32\jshalgvu.exe" [2008-03-25 09:16 106496]
"ngrmrzkm"="C:\Windows\system32\hotwdkfg.exe" [2008-03-25 13:07 98304]
"eucpwsvr"="C:\Windows\system32\lqjsxmde.exe" [2008-03-25 13:52 98304]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-23 15:44 1006264]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 16:35 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 08:26 4702208 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 07:06 40048]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 04:31 102400]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-09 03:23 191552]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 21:01 448080]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 10:50 413696]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-24 19:08 107112]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-10-26 21:18 22696]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroCheck"="C:\Windows\system32\\NeroCheck.exe" [2001-07-09 07:50 155648]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

SuperDave · « **Reply #32 on:** March 27, 2008, 01:13:01 PM »

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8926E51C-6B00-4E7A-8451-641DEAFEA33A}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B8711CB7-554C-47ED-BAB2-C92BCDBB4478}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 00:23]
R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-08-01 14:37]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080325.002\IDSvix86.sys [2008-03-12 08:30]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 17:50]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-08-01 14:39]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-26 01:55]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-06-18 22:03]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-27 12:36]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 18:11]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2006-10-24 10:40]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 15:50]
R3 UVCFTR;UVCFTR;C:\Windows\system32\Drivers\UVCFTR_S.SYS [2007-04-16 10:19]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 20:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 00:28:47 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Dave's computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 16:03:50
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?

?7?B??0?<?X?<

<

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-27 16:04:24
ComboFix-quarantined-files.txt 2008-03-27 19:04:21
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-03-27 06:02:21 --- E O F ---

evilfantasy · « **Reply #33 on:** March 27, 2008, 01:38:16 PM »

Download and install CleanUp!.exe

Don't run it yet

----------

Download HostsXpert

Unzip HostXpert to your desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program

.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself as well as run Spybots Immunize and enable all protection in SpywareBlaster.

----------

Now download The Avenger by Swandog46 and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Folders to delete:
C:\Users\All Users\mjwvapap

Files to delete:
C:\Windows\system32\lqjsxmde.exe
C:\Windows\system32\hotwdkfg.exe
C:\Windows\system32\jshalgvu.exe
C:\Windows\userconfig9x.dll
C:\Windows\system32winlogonpc.exe
C:\Windows\system32taack.exe
C:\Windows\system32taack.dat
C:\Windows\system32sncntr.exe
C:\Windows\system32mwin32.exe
C:\Windows\system32hoproxy.dll
C:\Windows\FVProtect.exe
C:\Windows\a.bat
C:\Windows\winsystem.exe
C:\Windows\system32WINWGPX.EXE
C:\Windows\system32winsystem.exe
C:\Windows\system32vcatchpi.dll
C:\Windows\system32vbsys2.dll
C:\Windows\system32thun32.dll
C:\Windows\system32thun.dll
C:\Windows\system32temp#01.exe
C:\Windows\system32sysreq.exe
C:\Windows\system32ssvchost.exe
C:\Windows\system32ssvchost.com
C:\Windows\system32ssurf022.dll
C:\Windows\system32Rundl1.exe
C:\Windows\system32regm64.dll
C:\Windows\system32regc64.dll
C:\Windows\system32psoft1.exe
C:\Windows\system32psof1.exe
C:\Windows\system32ps1.exe
C:\Windows\system32newsd32.exe
C:\Windows\system32netode.exe
C:\Windows\system32mtr2.exe
C:\Windows\system32msvchost.exe
C:\Windows\system32mssecu.exe
C:\Windows\system32msnbho.dll
C:\Windows\system32msgp.exe
C:\Windows\system32medup020.dll
C:\Windows\system32medup012.dll
C:\Windows\system32hxiwlgpm.exe
C:\Windows\system32hxiwlgpm.dat
C:\Windows\system32h@tkeysh@@k.dll
C:\Windows\system32emesx.dll
C:\Windows\system32dpcproxy.exe
C:\Windows\system32bsva-egihsg52.exe
C:\Windows\system32bdn.com
C:\Windows\system32awtoolb.dll
C:\Windows\system32anticipator.dll
C:\Windows\system32akttzn.exe
C:\Windows\mssecu.exe
C:\Windows\iTunesMusic.exe
C:\Windows\bdn.com
C:\Users\Dave's computer\Desktopvirii
C:\Users\Dave's computer\DesktopFWebdEditor.exe
C:\Users\Dave's computer\Desktopfwebd.exe
C:\Users\Dave's computer\Desktopfilemanagerclient.exe

Registry keys to delete:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gaiembcv

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngrmrzkm

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eucpwsvr

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now click the Execute button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the Reboot now? question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

.

Please add the Avenger log in your next post.

.
----------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click Options...
Move the arrow to Standard CleanUp!
Uncheck the following: (if checked)
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

----------

Next post please add
Avenger log

SuperDave · « **Reply #34 on:** March 27, 2008, 05:06:45 PM »

I received some errors when running avenger but I was able to complete it Here is the log file:

[recovering space - attachment deleted by admin]

evilfantasy · « **Reply #35 on:** March 27, 2008, 05:26:00 PM »

We need to try and manually delete a folder.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
3. Click on the Control Panel menu option.
4. When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
1. Double-click on the Folder Options icon.
2. Click on the View tab.
3. Go to step 5.

If you are in the Control Panel Home view do the following:
1. Click on the Appearance and Personalization link .
2. Click on Show Hidden Files or Folders.
3. Go to step 5.

5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now Windows Vista is configured to show all hidden files.

----------

Now open My Computer from the desktop and locate this folder (in blue) and delete it.

C:\Users\Dave's computer\Desktopvirii

----------

Scan a Suspicious File

Please visit one of the following:
(Multiple sites are given in case one is not working)
(If more than one file needs scanned they must be done separately and logs posted for each one)

Copy the file path in the code box below.

Code: [Select]

C:\Users\All Users\mjwvapap

At the upload site, click once inside the window next to Browse.
Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
Next click Send File/Submit/Upload (depending on the site)
- Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Please wait for all of the scanning engines to complete.
Copy and then Paste the results in the next reply.

.
----------

Next post let me know how the deletion went and the results of the file scan.

Also let me know how things are now.

SuperDave · « **Reply #36 on:** March 27, 2008, 08:03:40 PM »

The deletion of that folder went without a hitch but this is what I got when I sent the file:
0 bytes size received / Se ha recibido un archivo vacio
Besides that there is no more evidence of those annoying pop-ups.
Should I uninstall all those other programs from my computer?

SuperDave · « **Reply #37 on:** March 27, 2008, 08:16:23 PM »

I tried another scan site and this is what I received:The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

evilfantasy · « **Reply #38 on:** March 27, 2008, 08:20:11 PM »

It may be the UAC blocking it.

Since it is a 0 byte file that means it is empty. I'm pretty sure it is a left over from Vundo so it needs to be deleted as well. Go to C:\Users\All Users\mjwvapap and delete the mjwvapap file/folder. Be sure to empty the recycle bin after deletion.

We will clean up the mess now.

Click START then RUN
Now type CF /u in the runbox
Make sure there's a space between CF and /u
Then hit Enter.

.

.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
Next go HERE to see how to clear you infected restore points and set a new clean one.

Use the Secunia Software Inspector

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
I have some safety instructions written up that would be a good idea to look at in order to help keep this from happening again.

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Let me know if you have any questions. I still think it would be good to try the Panda scan again. If it won't work let me know and we can use another one instead.

SuperDave · « **Reply #39 on:** March 28, 2008, 07:17:25 AM »

I deleted that file with no problem but when I enter that command in Run it says it can't find CF.

evilfantasy · « **Reply #40 on:** March 28, 2008, 09:50:30 AM »

Delete it from the desktop, then go to C:\ and look for anything with CF or Combofix in the name and delete them also. There may be one, two total.

SuperDave · « **Reply #41 on:** March 28, 2008, 10:53:28 AM »

I deleted CF but I couldn't find ComboFix. There is a folder named Qoobox which has one of quarantined file from ComboFix. I also didn't have any luck with PANDA on-line scan. I'm still getting an empty screen.

evilfantasy · « **Reply #42 on:** March 28, 2008, 11:27:36 AM »

Delete Qoobox also. That is the backups from CF and will be flagged as malware by some antivirus so best to get rid of it.

Try this online scanner instead of Panda.

Use the Kaspersky Online Scanner

Click Accept.
Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- - Extended[/COLOR]
  - Scan Options:
  - Scan Archives[/COLOR]
    Scan Mail Bases[/COLOR]
    Click OK & have it scan My Computer
    When the scan is done, in the Scan is complete window (below), any infection is displayed.
    There is no option to clean/disinfect, however, we need to analyze the information on the report.
    
    To obtain the report:
    Click on: Save Report As...
    - Next, in the Save as prompt, Save in area, select: Desktop.
    - In the File name area, use KScan, or something similar.
    - In Save as type: click the drop arrow and select: Text file [*.txt]
    - Then, click: Save
    Please copy and paste the Kaspersky Online Scanner Report in your next post.

SuperDave · « **Reply #43 on:** March 28, 2008, 01:33:51 PM »

KASPERSKY ONLINE SCANNER REPORT
Friday, March 28, 2008 4:31:40 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/03/2008
Kaspersky Anti-Virus database records: 668934
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 73372
   Number of viruses found: 0
   Number of infected objects: 0
   Number of suspicious objects: 0
   Duration of the scan process: 00:49:10

Infected Object Name / Virus Name / Last Action
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log   Object is locked   skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ed80a482b1f410658b28b47ea513b454_62bac37c-8bf7-4a7c-bac5-d89f18910d3e   Object is locked   skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fcd3bcc382783d5142e645b139aa2d65_62bac37c-8bf7-4a7c-bac5-d89f18910d3e   Object is locked   skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat   Object is locked   skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.14.Crwl   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.14.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.ci   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wsb   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy18.gthr   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2EC9.tmp   Object is locked   skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2ECA.tmp   Object is locked   skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log   Object is locked   skipped
C:\ProgramData\PC Tools\ThreatFire\Orig.db   Object is locked   skipped
C:\ProgramData\Symantec\Common Client\settings.dat   Object is locked   skipped
C:\ProgramData\Symantec\LiveUpdate\2008-03-28_Log.ALUSchedulerSvc.LiveUpdate   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log   Object is locked   skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\1C3D2B79.TMP   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log   Object is locked   skipped
C:\ProgramData\Symantec\SubEng\submissions.idx   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDCON.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDFW.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log   Object is locked   skipped
C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log   Object is locked   skipped

SuperDave · « **Reply #44 on:** March 28, 2008, 01:34:36 PM »

C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat{4459c1d8-f6f1-11dc-9f05-00a0d198404c}.TM.blf   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat{4459c1d8-f6f1-11dc-9f05-00a0d198404c}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows\UsrClass.dat{4459c1d8-f6f1-11dc-9f05-00a0d198404c}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows Defender\FileTracker\{3F52D1D9-A77A-47C5-A4A7-1F847695A4E6}   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Microsoft\Windows Sidebar\Settings.ini   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Temp\~DF8781.tmp   Object is locked   skipped
C:\Users\Dave's computer\AppData\Local\Temp\~DF879A.tmp   Object is locked   skipped
C:\Users\Dave's computer\AppData\Roaming\Microsoft\Windows\Cookies\index.dat   Object is locked   skipped
C:\Users\Dave's computer\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-27-2008( 22-41-1 ).LOG   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT   Object is locked   skipped
C:\Users\Dave's computer\ntuser.dat.LOG1   Object is locked   skipped
C:\Users\Dave's computer\ntuser.dat.LOG2   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Users\Dave's computer\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\Debug\PASSWD.LOG   Object is locked   skipped
C:\Windows\Debug\sam.log   Object is locked   skipped
C:\Windows\Debug\WIA\wiatrace.log   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\SoftwareDistribution\EventCache\{65751959-0B51-42D4-ABE8-32F0019D64D3}.bin   Object is locked   skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0   Object is locked   skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0   Object is locked   skipped
C:\Windows\System32\catroot2\edb.log   Object is locked   skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb   Object is locked   skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb   Object is locked   skipped
C:\Windows\System32\config\COMPONENTS   Object is locked   skipped
C:\Windows\System32\config\COMPONENTS.LOG1   Object is locked   skipped
C:\Windows\System32\config\COMPONENTS.LOG2   Object is locked   skipped
C:\Windows\System32\config\DEFAULT   Object is locked   skipped
C:\Windows\System32\config\DEFAULT.LOG1   Object is locked   skipped
C:\Windows\System32\config\DEFAULT.LOG2   Object is locked   skipped
C:\Windows\System32\config\RegBack\COMPONENTS   Object is locked   skipped
C:\Windows\System32\config\RegBack\DEFAULT   Object is locked   skipped
C:\Windows\System32\config\RegBack\SAM   Object is locked   skipped
C:\Windows\System32\config\RegBack\SECURITY   Object is locked   skipped
C:\Windows\System32\config\RegBack\SOFTWARE   Object is locked   skipped
C:\Windows\System32\config\RegBack\SYSTEM   Object is locked   skipped
C:\Windows\System32\config\SAM   Object is locked   skipped
C:\Windows\System32\config\SAM.LOG1   Object is locked   skipped
C:\Windows\System32\config\SAM.LOG2   Object is locked   skipped
C:\Windows\System32\config\SECURITY   Object is locked   skipped
C:\Windows\System32\config\SECURITY.LOG1   Object is locked   skipped

SuperDave · « **Reply #45 on:** March 28, 2008, 01:35:20 PM »

C:\Windows\System32\config\SECURITY.LOG2   Object is locked   skipped
C:\Windows\System32\config\SOFTWARE   Object is locked   skipped
C:\Windows\System32\config\SOFTWARE.LOG1   Object is locked   skipped
C:\Windows\System32\config\SOFTWARE.LOG2   Object is locked   skipped
C:\Windows\System32\config\SYSTEM   Object is locked   skipped
C:\Windows\System32\config\SYSTEM.LOG1   Object is locked   skipped
C:\Windows\System32\config\SYSTEM.LOG2   Object is locked   skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat   Object is locked   skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms   Object is locked   skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms   Object is locked   skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM   Object is locked   skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl   Object is locked   skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf   Object is locked   skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001   Object is locked   skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002   Object is locked   skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT   Object is locked   skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1   Object is locked   skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2   Object is locked   skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3a53986d-6a70-11db-887c-d362bd253390}.TM.blf   Object is locked   skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3a53986d-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms   Object is locked   skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3a53986d-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms   Object is locked   skipped
C:\Windows\System32\spool\SpoolerETW.etl   Object is locked   skipped
C:\Windows\System32\wbem\Logs\WMITracing.log   Object is locked   skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR   Object is locked   skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP   Object is locked   skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP   Object is locked   skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA   Object is locked   skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.003   Object is locked   skipped
C:\Windows\System32\wfp\wfpdiag.etl   Object is locked   skipped
C:\Windows\System32\winevt\Logs\ACEEventLog.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Application.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\Security.evtx   Object is locked   skipped
C:\Windows\System32\winevt\Logs\System.evtx   Object is locked   skipped
C:\Windows\Tasks\SCHEDLGU.TXT   Object is locked   skipped
C:\Windows\WindowsUpdate.log   Object is locked   skipped

Scan process completed.

evilfantasy · « **Reply #46 on:** March 28, 2008, 01:45:24 PM »

Thats a clean log. Looks like we got everything. I feel better about calling this solved now.

SuperDave · « **Reply #47 on:** March 28, 2008, 05:07:23 PM »

I read the articles that you aforementioned. I suspect I was infected while I was searching for some protection programs. Now that I'm clean again I'm puzzled as to what protection to use because most of the free programs I tried did nothing to remove the infections. I noticed in another thread that another moderator suggested the use of Threatfire. I did some reading about it and decided to use it for real time protection. There are so many protection programs and it's hard to determine which ones to use. I would certainly appreciate some advice. I'm now using Norton AV, Threatfire, Spybot S&D, SuperAntiSpyware with
Windows Firewall, Norton Firewall and Windows Defender. It's all so confusing.

evilfantasy · « **Reply #48 on:** March 28, 2008, 05:17:47 PM »

Searching for security can be hazardous. I learned the hard way myself so don't feel bad.

Turn off Windows Firewall. Running two isn't good and will cause conflicts with the system.

Safe security tools

Safe download sites. If you are thinking about downloading something then check to see if it is hosted at one of these malware free download sites. If it isn't there, it may not be safe.
http://www.filehippo.com
http://majorgeeks.com

In addition to what you have installed now I would suggest adding Spywareblaster. That should round out your security setup pretty well.

Once a month or so you could also run an online virus scan. I suggest using BitDefender Online Scanner. It is free and removes anything it finds.

Let me know if you need anything else.

SuperDave · « **Reply #49 on:** March 28, 2008, 06:07:02 PM »

I still have some programs such as Malwarebytes on my laptop. Is it ok to uninstall them? Everything is working A Ok except that I had one button that I could get to IE but now it doesn't work. Any Ideas?

evilfantasy · « **Reply #50 on:** March 28, 2008, 06:10:08 PM »

What button? The Icon on the desktop?

Malwarebytes is free so you can keep it. It checks for rouge programs so is good to run now and then.

SuperDave · « **Reply #51 on:** March 28, 2008, 06:20:05 PM »

It's the button between the Power button and the controls for the DVD player.

evilfantasy · « **Reply #52 on:** March 28, 2008, 06:23:52 PM »

I am not familiar enough with Vista to make a good determination. You may make a post HERE so someone else can see it and help. Hopefully it is something easy.

SuperDave · « **Reply #53 on:** March 28, 2008, 06:42:06 PM »

That's Ok. I'll work at figuring it out. I think I remember reading about it somewhere. I want to thank you for all your help over the last few days. It's nice to know that there are people in the community who are willing to take the time and effort to help someone else out of a jam. Many Thanks

evilfantasy · « **Reply #54 on:** March 28, 2008, 06:44:38 PM »

No problem. I'm glad we found a solution. I was nearly ready to throw in the towel until the DSS scan turned up the infections. Odd thing is that I haven't used that scanner in a while, just a stroke of luck!

Safe surfing, let us know if anything else comes up.

SuperDave · « **Reply #55 on:** March 28, 2008, 07:04:19 PM »

Evilfantasy for President.

NJDAVE · « **Reply #56 on:** April 01, 2008, 03:55:49 PM »

Hi,

I think I have an infection on my laptop similar to what SuperDave had on his. I'm willing to reformat the harddrive and start all over again by reinstalling Windows XP. However, I'd like to know if it's at all safe to take any of the files off of my infected machine prior to reformatting. It would be nice if some of my data could be saved.

The files I'd like to save are of the following types.

.txt
.doc
.wma
.mdb
.jpg
.img
.imz
.pdf

evilfantasy · « **Reply #57 on:** April 01, 2008, 04:05:45 PM »

Why not start a new thread with the logs from HERE

.doc
.wma
.mdb
.jpg
.img
.imz
.pdf

These are all very easily infected by malware and sometimes cleaning is much easier than you might think.

Computer Hope Forum

News:

Author Topic: Infected laptop (Read 58814 times)

SuperDave

evilfantasy

SuperDave

SuperDave

SuperDave

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

SuperDave

SuperDave

SuperDave

SuperDave

SuperDave

SuperDave

SuperDave

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

SuperDave

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

SuperDave

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

evilfantasy

SuperDave

NJDAVE

evilfantasy