1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

dossier_top_secret

Discussion in 'Virus & Other Malware Removal' started by ensoftheearth, Nov 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    After I took my memory chip to a photo shop to develop some pics, I found it contained a new file called dossier_top_secret. I tried to delete the file, but it keeps reappearing. It causes the chip to behave strangely too. I didn't open the file, but it must have transferred to my lap top because now strange things are happening. Many of my files now ask for passwords where I have never assigned one. I can't open any of these files. Most times I don't care, but yesterday it locked up an excel file that contains information that I need to see. The only other blog on this subject is also from Cambodia. I think this might be confined to this country as I am also in Cambodia. Dossier_top_secret appears and now files that I want to see are locked and password protected. Sounds like I virus, but is there a fix. HELP!
     
  2. cwwozniak

    cwwozniak Trusted Advisor Spam Fighter

    Joined:
    Nov 28, 2005
    Messages:
    64,136
    First Name:
    Chuck
    I would agree that you may have virus. TSG has a special forum reserved for malware and virus help. I would suggest you click on the red triangle at the top of your first post and ask a moderator to move your post to that forum for you.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click Non-Microsoft
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click ALL
      • In the Files Created Within group click 60 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 60 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select ALL
      in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  4. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    Here is what Hijack This said:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:42:12 PM, on 11/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\TOSHIBA-8BABD84.exe
    C:\WINDOWS\Mr. DAVID.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\DOCUME~1\MRFCAE~1.DAV\taskmgr.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\wscript.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\taskmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = John Sina
    F3 - REG:win.ini: load=C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\services.exe
    F3 - REG:win.ini: run=explorer.exe C:\WINDOWS\System\regedit.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\smss.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] launchapp
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\.MS32DLL.dll.vbs
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winboot] wscript.exe /E:vbs C:\WINDOWS\boot.ini
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [system] C:\taskmgr.exe
    O4 - HKLM\..\Run: [TOSHIBA-8BABD84] C:\WINDOWS\win.pif
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mr. DAVID] C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\Temp\Tmp.com
    O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\MRFCAE~1.DAV\taskmgr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [(Default)] C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\winlogon.exe
    O4 - HKCU\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD3A215-3B1A-4AEB-8863-15E214279B19}: NameServer = 203.189.134.3 203.189.128.2
    O17 - HKLM\System\CS3\Services\Tcpip\..\{2AD3A215-3B1A-4AEB-8863-15E214279B19}: NameServer = 203.189.134.3 203.189.128.2
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MsNet Service (MsNet) - - C:\WINDOWS\Fonts\font.bat
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 13033 bytes
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    that is bad

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  6. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    This is what HiJackThis says now:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:13:11 AM, on 12/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\system32\TOSHIBA-8BABD84.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\Mr. DAVID.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\wscript.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = John Sina
    F3 - REG:win.ini: load=C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\services.exe
    F3 - REG:win.ini: run=explorer.exe C:\WINDOWS\System\regedit.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\smss.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] launchapp
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\.MS32DLL.dll.vbs
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winboot] wscript.exe /E:vbs C:\WINDOWS\boot.ini
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TOSHIBA-8BABD84] C:\WINDOWS\win.pif
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mr. DAVID] C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\Temp\Tmp.com
    O4 - HKLM\..\Policies\Explorer\Run: [(Default)] C:\WINDOWS\winlogon.exe
    O4 - HKCU\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MsNet Service (MsNet) - - C:\WINDOWS\Fonts\font.bat
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 12584 bytes



    AND, this is the report.txt from SDFix:

    SDFix: Version 1.116

    Run by Mr. DAVID on Tue 12/04/2007 at 07:35 AM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\services.exe - Deleted
    C:\WINDOWS\smss.exe - Deleted
    C:\WINDOWS\svchost.exe - Deleted
    C:\WINDOWS\winlogon.exe - Deleted




    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-04 07:42:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
    "EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
    "CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
    "C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
    "C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
    "C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:pMSRegisterFile"
    "C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

    Remaining Files:
    ---------------
    C:\WINDOWS\services.exe Found
    C:\WINDOWS\smss.exe Found
    C:\WINDOWS\svchost.exe Found
    C:\WINDOWS\winlogon.exe Found

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Fri 10 Aug 2007 77,824 ..SH. --- "C:\AutoRun.exe"
    Sat 11 Mar 2006 40,960 ...H. --- "C:\taskmgr.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\Mr. DAVID.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\services.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\smss.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\svchost.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\win.pif"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\winlogon.exe"
    Tue 1 Aug 2006 22,987 ..SHR --- "C:\Documents and Settings\Mr. DAVID\taskmgr.exe"
    Mon 16 Oct 2006 4,900,464 ...H. --- "C:\Program Files\Picasa2\setup.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\system\regedit.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\system\wininit.com"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\system32\msdp32.dll"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\system32\TOSHIBA-8BABD84.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\Temp\Tmp.com"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\WINDOWS\Web\Picture.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\Documents and Settings\Mr. DAVID\Local Settings\explorer.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\Documents and Settings\Mr. DAVID\Local Settings\services.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\Documents and Settings\Mr. DAVID\Local Settings\smss.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\Documents and Settings\Mr. DAVID\Local Settings\svchost.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\Documents and Settings\Mr. DAVID\Local Settings\winlogon.exe"
    Fri 10 Aug 2007 77,824 ..SHR --- "C:\Documents and Settings\Mr. DAVID\Local Settings\Temp\Tmp.com"
    Fri 10 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3470d8afe674adae2ee1cba944cf0413\BIT89.tmp"
    Fri 10 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4bff3a39d84c79b75274c24d8341568c\BIT7F.tmp"
    Mon 13 Aug 2007 5,629,208 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\76f9fc8f1dc6a72a021c08d35c113036\BIT78.tmp"
    Fri 24 Aug 2007 25,755,448 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf0471ca1f3f12affe6c8fea1ffc6ddb\BITDA7.tmp"
    Fri 10 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT8C.tmp"
    Wed 17 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BITC14.tmp"
    Wed 3 Oct 2007 5,903,928 A..H. --- "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT1B9D.tmp"
    Wed 22 Aug 2007 7,354,040 A..H. --- "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT1E.tmp"
    Wed 15 Aug 2007 23,402,288 A..H. --- "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT1F48.tmp"

    Finished!
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    that is still very badly infected

    Delete any existing version of ComboFix you have sitting on your desktop

    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again afterwards before connecting to the net
    --------------------------------------------------------------------
    2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
    • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
    • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****



    It looks like this very bad worm/trojan whatever has killed your symantec antivirus
     
  8. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    This is what ComboFix said:
    ComboFix 07-12-02.6 - Mr. DAVID 2007-12-06 20:44:14.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT 7:00]
    Running from: C:\Documents and Settings\Mr. DAVID\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\.MS32DLL.dll.vbs
    C:\Autorun.inf
    C:\MS32DLL.dll.vbs
    C:\WINDOWS\.exe
    C:\WINDOWS\.MS32DLL.dll.vbs
    C:\WINDOWS\boot.ini
    C:\WINDOWS\MS32DLL.dll.vbs
    C:\WINDOWS\services.exe
    C:\WINDOWS\smss.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\winlogon.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
    .

    2007-12-04 07:34 . 2007-12-04 07:34 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-11-19 17:41 . 2007-11-19 17:41 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-14 21:58 . 2007-12-01 11:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-11-14 21:58 . 2007-11-14 21:58 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-11-08 21:08 . 2007-11-27 19:48 <DIR> d-------- C:\Program Files\GameSpy Arcade
    2007-11-08 20:59 . 2007-11-08 20:59 <DIR> d-------- C:\Program Files\JenZo

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-06 13:49 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-12-06 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2007-11-27 12:48 --------- d-----w C:\Program Files\3telCafeG729
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\Fonts\font.bat
    2006-08-01 04:00 22,987 --sh--r C:\Documents and Settings\Mr. DAVID\taskmgr.exe
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\Mr. DAVID.exe
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\win.pif
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\Fonts\font.bat
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\system\regedit.exe
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\system\wininit.com
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\system32\command.cmd
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\system32\msdp32.dll
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\system32\TOSHIBA-8BABD84.exe
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\Temp\Tmp.com
    2007-08-10 04:01 77,824 --sh--r C:\WINDOWS\Web\Picture.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 15:32]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
    "IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 08:34]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-15 15:39]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 23:24]
    "Mr. DAVID"="C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\Temp\Tmp.com" [2007-08-10 11:01]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="launchapp" []
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 21:55]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 21:52]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 21:55]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 22:21 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 00:32]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 07:13]
    "NDSTray.exe"="NDSTray.exe" []
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 20:20]
    "Toshiba Hotkey Utility"="C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-28 05:13]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 13:06]
    "TPSMain"="TPSMain.exe" [2005-06-01 12:00 C:\WINDOWS\system32\TPSMain.exe]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
    "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 07:50]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
    "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 22:26]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 19:42]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-02 20:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 04:03]
    "TOSHIBA-8BABD84"="C:\WINDOWS\win.pif" [2007-08-10 11:01]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]

    C:\Documents and Settings\Mr. DAVID\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2006-09-08 03:11:43]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-09-08 02:29:30]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-16 07:47:38]

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "System"="C:\\WINDOWS\\System\\wininit.com"

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\services.exe

    R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys
    R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys
    R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys
    R3 EraserUtilDrv10621;EraserUtilDrv10621;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys
    R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys
    R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys
    S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{839fa672-6b43-11dc-aa3f-a71e4cecca64}]
    \Shell\Auto\command - F:\AutoRun.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AutoRun.exe

    .
    **************************************************************************

    catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-06 20:49:18
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-06 20:51:11 - machine was rebooted
    .
    --- E O F ---

    This is the new report from HiJackThis:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:58:46 PM, on 12/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\TOSHIBA-8BABD84.exe
    C:\WINDOWS\Mr. DAVID.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\DOCUME~1\MRFCAE~1.DAV\taskmgr.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
    F3 - REG:win.ini: run=explorer.exe C:\WINDOWS\System\regedit.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\smss.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] launchapp
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TOSHIBA-8BABD84] C:\WINDOWS\win.pif
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\Policies\Explorer\Run: [(Default)] C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\winlogon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\MRFCAE~1.DAV\taskmgr.exe
    O4 - HKCU\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD3A215-3B1A-4AEB-8863-15E214279B19}: NameServer = 203.189.134.3 203.189.128.2
    O17 - HKLM\System\CS3\Services\Tcpip\..\{2AD3A215-3B1A-4AEB-8863-15E214279B19}: NameServer = 203.189.134.3 203.189.128.2
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MsNet Service (MsNet) - - C:\WINDOWS\Fonts\font.bat
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 12692 bytes
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    I am not certain we can fix this very badly infected computer but we can try

    next step

    download the attached CFScript.txt to your desktop

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     

    Attached Files:

  10. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    Here's a new ComboFix report:
    ComboFix 07-12-02.6 - Mr. DAVID 2007-12-09 0:51:44.4 - NTFSx86
    Running from: C:\Documents and Settings\Mr. DAVID\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
    .

    2007-12-09 00:49 . 2005-04-01 20:36 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-12-09 00:49 . 2005-04-01 20:36 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-12-04 07:34 . 2007-12-04 07:34 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-11-19 17:41 . 2007-11-19 17:41 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-08 21:08 . 2007-11-27 19:48 <DIR> d-------- C:\Program Files\GameSpy Arcade
    2007-11-08 20:59 . 2007-11-08 20:59 <DIR> d-------- C:\Program Files\JenZo

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-08 17:50 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-12-08 17:49 --------- d-----w C:\Program Files\Symantec
    2007-12-08 17:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-12-08 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-12-08 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2007-11-27 12:48 --------- d-----w C:\Program Files\3telCafeG729
    .

    ((((((((((((((((((((((((((((( [email protected]_20.50.32.81 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-03-13 03:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    - 2006-09-07 19:52:43 25,214 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\ARPPRODUCTICON.exe
    + 2007-12-08 17:49:57 25,214 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\ARPPRODUCTICON.exe
    - 2006-09-07 19:52:43 40,960 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
    + 2007-12-08 17:49:57 40,960 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 15:32]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
    "IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 08:34]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-15 15:39]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 23:24]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="launchapp" []
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 21:55]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 21:52]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 21:55]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 22:21 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 00:32]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 07:13]
    "NDSTray.exe"="NDSTray.exe" []
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 20:20]
    "Toshiba Hotkey Utility"="C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-28 05:13]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 13:06]
    "TPSMain"="TPSMain.exe" [2005-06-01 12:00 C:\WINDOWS\system32\TPSMain.exe]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
    "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 07:50]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
    "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 22:26]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 19:42]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-02 20:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 04:03]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]

    C:\Documents and Settings\Mr. DAVID\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2006-09-08 03:11:43]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-09-08 02:29:30]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-16 07:47:38]

    R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys
    R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys
    R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys
    R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys
    R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys
    S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys

    *Newly Created Service* - CCEVTMGR
    *Newly Created Service* - CCSETMGR
    *Newly Created Service* - DEFWATCH
    *Newly Created Service* - NAVENG
    *Newly Created Service* - NAVEX15
    *Newly Created Service* - SAVRT
    *Newly Created Service* - SAVRTPEL
    *Newly Created Service* - SYMANTEC_ANTIVIRUS
    *Newly Created Service* - SYMEVENT
    *Newly Created Service* - SYMREDRV
    .
    **************************************************************************

    catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-09 00:54:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-09 0:55:51
    .
    --- E O F ---



    And here's the new HijackThis report:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:00:37 AM, on 12/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec AntiVirus\vptray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] launchapp
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 11954 bytes
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    You either didn't follow my previous instructions & use the cfscript or ran combofix manually again afterwards as the files seem to have gone but there isn't any sign of the script being run in the log

    I need to think about this one a bit
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKCU\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'Default user')

    then

    * Run Kaspersky online virus scan Kaspersky Online Scanner.

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: You have to use Internet Explorer to do the online scan.

    Post a new HiJackThis log along with the results from Kaspersky scan

    Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

    You must use IE for the scan to work
     
  13. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    I'm sorry, when I tried to run the ComboFix with the attachment, we had a power failure and I had to start again and didn't re-attach the attachment. I think this one worked:

    ComboFix 07-12-02.6 - Mr. DAVID 2007-12-09 22:32:32.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.181 [GMT 7:00]
    Running from: C:\Documents and Settings\Mr. DAVID\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Mr. DAVID\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\services.exe
    C:\DOCUME~1\MRFCAE~1.DAV\LOCALS~1\winlogon.exe
    C:\Documents and Settings\Mr. DAVID\taskmgr.exe
    C:\WINDOWS\Fonts\font.bat
    C:\WINDOWS\Mr. DAVID.exe
    C:\WINDOWS\smss.exe
    C:\WINDOWS\system\regedit.exe
    C:\WINDOWS\system\wininit.com
    C:\WINDOWS\system32\command.cmd
    C:\WINDOWS\system32\msdp32.dll
    C:\WINDOWS\system32\TOSHIBA-8BABD84.exe
    C:\WINDOWS\Temp\Tmp.com
    C:\WINDOWS\Web\Picture.exe
    C:\WINDOWS\win.pif
    .

    ((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
    .

    2007-12-09 21:44 . 2007-12-09 21:44 <DIR> d-------- C:\WINDOWS\LastGood
    2007-12-09 01:22 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
    2007-12-09 00:49 . 2005-04-01 20:36 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-12-09 00:49 . 2005-04-01 20:36 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-12-04 07:34 . 2007-12-04 07:34 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-11-19 17:41 . 2007-11-19 17:41 <DIR> d-------- C:\Program Files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-08 18:33 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-12-08 18:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-12-08 17:55 --------- d-----w C:\Program Files\GameSpy Arcade
    2007-12-08 17:49 --------- d-----w C:\Program Files\Symantec
    2007-12-08 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-12-08 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2007-11-27 12:48 --------- d-----w C:\Program Files\3telCafeG729
    2007-11-08 13:59 --------- d-----w C:\Program Files\JenZo
    .

    ((((((((((((((((((((((((((((( [email protected]_20.50.32.81 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-03-13 03:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    + 2004-08-04 05:00:00 61,440 -c--a-w C:\WINDOWS\ie7\admparse.dll
    + 2004-08-04 05:00:00 99,840 -c--a-w C:\WINDOWS\ie7\advpack.dll
    + 2004-08-04 05:00:00 35,328 -c--a-w C:\WINDOWS\ie7\corpol.dll
    + 2006-06-03 11:40:49 33,792 -c--a-w C:\WINDOWS\ie7\custsat.dll
    + 2007-08-22 12:55:30 357,888 -c--a-w C:\WINDOWS\ie7\dxtmsft.dll
    + 2007-08-22 12:55:31 205,824 -c--a-w C:\WINDOWS\ie7\dxtrans.dll
    + 2007-08-22 12:55:31 55,808 -c--a-w C:\WINDOWS\ie7\extmgr.dll
    + 2004-08-04 05:00:00 38,912 -c--a-w C:\WINDOWS\ie7\hmmapi.dll
    + 2004-08-04 05:00:00 34,304 -c--a-w C:\WINDOWS\ie7\ie4uinit.exe
    + 2004-08-04 05:00:00 139,264 -c--a-w C:\WINDOWS\ie7\ieakeng.dll
    + 2004-08-04 05:00:00 216,576 -c--a-w C:\WINDOWS\ie7\ieaksie.dll
    + 2004-08-04 05:00:00 221,184 -c--a-w C:\WINDOWS\ie7\ieakui.dll
    + 2004-08-04 05:00:00 323,584 -c--a-w C:\WINDOWS\ie7\iedkcs32.dll
    + 2007-08-21 10:19:39 18,432 -c--a-w C:\WINDOWS\ie7\iedw.exe
    + 2004-08-04 05:00:00 81,920 -c--a-w C:\WINDOWS\ie7\ieencode.dll
    + 2007-08-22 12:55:32 251,904 -c--a-w C:\WINDOWS\ie7\iepeers.dll
    + 2004-08-04 05:00:00 48,640 -c--a-w C:\WINDOWS\ie7\iernonce.dll
    + 2004-08-04 05:00:00 62,976 -c--a-w C:\WINDOWS\ie7\iesetup.dll
    + 2004-08-04 05:00:00 93,184 -c--a-w C:\WINDOWS\ie7\iexplore.exe
    + 2004-08-04 05:00:00 35,840 -c--a-w C:\WINDOWS\ie7\imgutil.dll
    + 2007-08-22 12:55:32 96,256 -c--a-w C:\WINDOWS\ie7\inseng.dll
    + 2006-05-18 05:24:25 450,560 -c--a-w C:\WINDOWS\ie7\jscript.dll
    + 2007-08-22 12:55:32 16,384 -c--a-w C:\WINDOWS\ie7\jsproxy.dll
    + 2004-08-04 05:00:00 22,016 -c--a-w C:\WINDOWS\ie7\licmgr10.dll
    + 2004-08-04 05:00:00 29,184 -c--a-w C:\WINDOWS\ie7\mshta.exe
    + 2007-08-22 12:55:36 3,064,832 -c--a-w C:\WINDOWS\ie7\mshtml.dll
    + 2007-08-22 12:55:37 449,024 -c--a-w C:\WINDOWS\ie7\mshtmled.dll
    + 2004-08-04 05:00:00 56,832 -c--a-w C:\WINDOWS\ie7\mshtmler.dll
    + 2004-08-04 05:00:00 146,432 -c--a-w C:\WINDOWS\ie7\msls31.dll
    + 2007-08-22 12:55:37 146,432 -c--a-w C:\WINDOWS\ie7\msrating.dll
    + 2007-08-22 12:55:38 532,480 -c--a-w C:\WINDOWS\ie7\mstime.dll
    + 2004-08-04 05:00:00 96,256 -c--a-w C:\WINDOWS\ie7\occache.dll
    + 2007-08-22 12:55:38 39,424 -c--a-w C:\WINDOWS\ie7\pngfilt.dll
    + 2007-08-13 11:54:42 32,960 -c--a-w C:\WINDOWS\ie7\spuninst\iecustom.dll
    + 2007-08-13 11:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
    + 2006-09-06 10:43:16 213,216 -c--a-w C:\WINDOWS\ie7\spuninst\spuninst.exe
    + 2006-09-06 10:43:18 371,424 -c--a-w C:\WINDOWS\ie7\spuninst\updspapi.dll
    + 2004-08-04 05:00:00 37,888 -c--a-w C:\WINDOWS\ie7\url.dll
    + 2007-08-22 12:55:43 617,984 -c--a-w C:\WINDOWS\ie7\urlmon.dll
    + 2004-08-04 05:00:00 417,792 -c--a-w C:\WINDOWS\ie7\vbscript.dll
    + 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\ie7\vgx.dll
    + 2004-08-04 05:00:00 276,480 -c--a-w C:\WINDOWS\ie7\webcheck.dll
    + 2007-08-22 12:55:44 665,600 -c--a-w C:\WINDOWS\ie7\wininet.dll
    + 2007-08-13 11:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\advpack.dll
    + 2007-08-13 11:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\advpack.dll.000
    + 2007-08-13 11:35:38 214,528 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\dxtrans.dll
    + 2007-08-13 11:54:10 131,584 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\extmgr.dll
    + 2007-08-13 11:36:26 61,952 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\icardie.dll
    + 2007-08-13 11:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ie4uinit.exe
    + 2007-08-13 11:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ie4uinit.exe.000
    + 2007-08-13 11:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakeng.dll
    + 2007-08-13 11:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakeng.dll.000
    + 2007-08-13 11:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieaksie.dll
    + 2007-08-13 11:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieaksie.dll.000
    + 2007-08-13 10:56:54 161,792 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakui.dll
    + 2007-08-13 10:56:54 161,792 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieakui.dll.000
    + 2007-02-12 09:10:12 2,451,312 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieapfltr.dat
    + 2007-07-11 05:27:48 383,488 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieapfltr.dll
    + 2007-08-13 11:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iedkcs32.dll
    + 2007-08-13 11:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iedkcs32.dll.000
    + 2007-08-13 11:54:10 6,049,280 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieframe.dll
    + 2007-08-13 11:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iernonce.dll
    + 2007-08-13 11:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iernonce.dll.000
    + 2007-08-13 11:34:04 266,752 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iertutil.dll
    + 2007-08-13 11:39:10 13,312 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\ieudinit.exe
    + 2007-08-13 11:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe
    + 2007-08-13 11:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe.000
    + 2007-08-13 11:54:10 27,136 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\jsproxy.dll
    + 2007-08-13 11:54:10 458,752 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeeds.dll
    + 2007-08-13 11:54:10 50,688 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msfeedsbs.dll
    + 2007-08-13 11:54:12 3,578,368 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtml.dll
    + 2007-08-13 11:54:10 475,648 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mshtmled.dll
    + 2007-08-13 11:44:26 192,000 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\msrating.dll
    + 2007-08-13 11:54:10 670,720 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\mstime.dll
    + 2007-08-13 11:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\occache.dll
    + 2007-08-13 11:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\occache.dll.000
    + 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe
    + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\updspapi.dll
    + 2007-08-13 11:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\url.dll
    + 2007-08-13 11:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\url.dll.000
    + 2007-08-13 11:54:10 1,162,240 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\urlmon.dll
    + 2007-08-13 11:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\webcheck.dll
    + 2007-08-13 11:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\webcheck.dll.000
    + 2007-08-13 11:54:10 818,688 -c----w C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
    - 2006-09-07 19:52:43 25,214 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\ARPPRODUCTICON.exe
    + 2007-12-08 17:49:57 25,214 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\ARPPRODUCTICON.exe
    - 2006-09-07 19:52:43 40,960 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
    + 2007-12-08 17:49:57 40,960 ----a-r C:\WINDOWS\Installer\{5A633ED0-E5D7-4D65-AB8D-53ED43510284}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
    + 2006-06-03 11:40:49 33,792 ------w C:\WINDOWS\network diagnostic\custsat.dll
    + 2006-10-10 12:44:50 557,568 ------w C:\WINDOWS\network diagnostic\xpnetdiag.exe
    - 2004-08-04 05:00:00 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
    + 2007-08-13 11:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
    - 2004-08-04 05:00:00 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
    + 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
    + 2007-08-13 11:39:20 71,680 -c----w C:\WINDOWS\system32\dllcache\admparse.dll
    + 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
    + 2007-08-13 11:42:54 17,408 -c----w C:\WINDOWS\system32\dllcache\corpol.dll
    - 2007-08-22 12:55:30 357,888 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    + 2007-08-13 11:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    - 2007-08-22 12:55:31 205,824 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
    + 2007-08-20 10:04:34 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
    - 2007-08-22 12:55:31 55,808 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
    + 2007-08-20 10:04:34 132,608 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
    + 2007-08-13 11:18:02 60,416 -c----w C:\WINDOWS\system32\dllcache\hmmapi.dll
    + 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
    + 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    + 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
    + 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
    + 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
    + 2007-04-17 09:32:38 2,455,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dat
    + 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    + 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    - 2007-08-21 10:19:39 18,432 -c----w C:\WINDOWS\system32\dllcache\iedw.exe
    + 2007-08-13 11:44:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
    + 2007-08-13 11:45:18 78,336 -c----w C:\WINDOWS\system32\dllcache\ieencode.dll
    + 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
    - 2007-08-22 12:55:32 251,904 -c----w C:\WINDOWS\system32\dllcache\iepeers.dll
    + 2007-08-13 11:54:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
    + 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
    + 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
    + 2007-08-13 11:39:12 55,296 -c----w C:\WINDOWS\system32\dllcache\iesetup.dll
    + 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
    + 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
    + 2007-08-13 11:36:06 36,352 -c----w C:\WINDOWS\system32\dllcache\imgutil.dll
    - 2007-08-22 12:55:32 96,256 -c----w C:\WINDOWS\system32\dllcache\inseng.dll
    + 2007-08-13 11:39:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
    - 2006-05-18 05:24:25 450,560 -c----w C:\WINDOWS\system32\dllcache\jscript.dll
    + 2007-08-13 11:38:04 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
    - 2007-08-22 12:55:32 16,384 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
    + 2007-08-20 10:04:39 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
    + 2007-08-13 11:44:18 40,960 -c----w C:\WINDOWS\system32\dllcache\licmgr10.dll
    + 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
    + 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    + 2007-08-13 11:32:30 45,568 -c----w C:\WINDOWS\system32\dllcache\mshta.exe
    - 2007-08-22 12:55:36 3,064,832 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
    + 2007-08-20 08:34:42 3,584,512 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
    - 2007-08-22 12:55:37 449,024 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
    + 2007-08-20 10:04:41 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
    + 2007-08-13 11:01:12 48,128 -c----w C:\WINDOWS\system32\dllcache\mshtmler.dll
    + 2007-08-13 11:54:10 156,160 -c----w C:\WINDOWS\system32\dllcache\msls31.dll
    - 2007-08-22 12:55:37 146,432 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
    + 2007-08-20 10:04:41 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
    - 2007-08-22 12:55:38 532,480 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
    + 2007-08-20 10:04:42 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
    + 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
    - 2007-08-22 12:55:38 39,424 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
    + 2007-08-13 11:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    + 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
    - 2007-08-22 12:55:43 617,984 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
    + 2007-08-20 10:04:42 1,152,000 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
    + 2007-08-13 11:54:10 413,696 -c----w C:\WINDOWS\system32\dllcache\vbscript.dll
    - 2007-06-26 15:13:22 851,968 -c----w C:\WINDOWS\system32\dllcache\vgx.dll
    + 2007-08-13 11:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
    + 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
    - 2007-08-22 12:55:44 665,600 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
    + 2007-08-20 10:04:43 824,832 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
    - 2007-08-22 12:55:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    + 2007-08-13 11:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
    - 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\system32\dxtrans.dll
    + 2007-08-20 10:04:34 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
    - 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
    + 2007-08-20 10:04:34 132,608 ------w C:\WINDOWS\system32\extmgr.dll
    + 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
    + 2006-06-29 01:05:44 26,112 ------w C:\WINDOWS\system32\idndl.dll
    - 2004-08-04 05:00:00 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
    + 2007-08-17 10:20:54 63,488 ------w C:\WINDOWS\system32\ie4uinit.exe
    - 2004-08-04 05:00:00 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
    + 2007-08-20 10:04:34 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
    - 2004-08-04 05:00:00 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
    + 2007-08-20 10:04:35 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
    - 2004-08-04 05:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
    + 2007-08-17 07:34:25 161,792 ------w C:\WINDOWS\system32\ieakui.dll
    + 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
    + 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
    - 2004-08-04 05:00:00 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
    + 2007-08-20 10:04:35 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
    - 2004-08-04 05:00:00 81,920 ----a-w C:\WINDOWS\system32\ieencode.dll
    + 2007-08-13 11:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
    + 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
    - 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
    + 2007-08-13 11:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
    - 2004-08-04 05:00:00 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
    + 2007-08-20 10:04:38 44,544 ------w C:\WINDOWS\system32\iernonce.dll
    + 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
    - 2004-08-04 05:00:00 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
    + 2007-08-13 11:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
    + 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
    + 2007-08-13 11:54:10 180,736 ------w C:\WINDOWS\system32\ieui.dll
    - 2004-08-04 05:00:00 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
    + 2007-08-13 11:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
    - 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
    + 2007-08-13 11:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
    - 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
    + 2007-08-13 11:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
    - 2007-08-22 12:55:32 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
    + 2007-08-20 10:04:39 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
    - 2004-08-04 05:00:00 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
    + 2007-08-13 11:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
    + 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
    + 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
    + 2007-08-13 11:36:40 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe
    - 2004-08-04 05:00:00 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
    + 2007-08-13 11:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
    - 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\system32\mshtml.dll
    + 2007-08-20 08:34:42 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
    - 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
    + 2007-08-20 10:04:41 477,696 ------w C:\WINDOWS\system32\mshtmled.dll
    - 2004-08-04 05:00:00 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
    + 2007-08-13 11:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
    - 2004-08-04 05:00:00 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
    + 2007-08-13 11:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
    - 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
    + 2007-08-20 10:04:41 193,024 ------w C:\WINDOWS\system32\msrating.dll
    - 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
    + 2007-08-20 10:04:42 671,232 ------w C:\WINDOWS\system32\mstime.dll
    + 2006-06-28 10:59:26 24,576 ------w C:\WINDOWS\system32\nlsdl.dll
    + 2006-06-29 01:05:44 23,552 ------w C:\WINDOWS\system32\normaliz.dll
    - 2004-08-04 05:00:00 96,256 ----a-w C:\WINDOWS\system32\occache.dll
    + 2007-08-20 10:04:42 102,400 ------w C:\WINDOWS\system32\occache.dll
    - 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
    + 2007-08-13 11:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
    - 2005-06-28 03:21:34 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
    + 2006-09-06 10:43:16 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
    - 2004-08-04 05:00:00 37,888 ----a-w C:\WINDOWS\system32\url.dll
    + 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
    - 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\system32\urlmon.dll
    + 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
    - 2004-08-04 05:00:00 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
    + 2007-08-13 11:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
    - 2004-08-04 05:00:00 49,152 ----a-w C:\WINDOWS\system32\wdigest.dll
    + 2006-03-24 04:37:50 49,152 ----a-w C:\WINDOWS\system32\wdigest.dll
    - 2004-08-04 05:00:00 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
    + 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
    + 2007-08-13 11:45:16 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe
    - 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\system32\wininet.dll
    + 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
    + 2006-07-14 15:51:51 121,856 ------w C:\WINDOWS\system32\xmllite.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 15:32]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
    "IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 08:34]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-15 15:39]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 23:24]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="launchapp" []
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 21:55]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 21:52]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 21:55]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 22:21 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 00:32]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 07:13]
    "NDSTray.exe"="NDSTray.exe" []
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 20:20]
    "Toshiba Hotkey Utility"="C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-28 05:13]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 13:06]
    "TPSMain"="TPSMain.exe" [2005-06-01 12:00 C:\WINDOWS\system32\TPSMain.exe]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
    "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 07:50]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
    "PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 22:26]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 19:42]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-02 20:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 04:03]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]

    C:\Documents and Settings\Mr. DAVID\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2006-09-08 03:11:43]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-09-08 02:29:30]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-16 07:47:38]

    R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys
    R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys
    R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys
    R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys
    R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys
    S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys

    *Newly Created Service* - ERASERUTILDRVI4
    .
    **************************************************************************

    catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-09 22:34:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-09 22:35:18
    C:\ComboFix2.txt ... 2007-12-09 00:55
    .
    --- E O F ---
     
  14. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    Here's another HijackThis report as per the Kaspersky request:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:46:07 PM, on 12/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] launchapp
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 12655 bytes
     
  15. ensoftheearth

    ensoftheearth Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    10
    I attach a text file with the Kaspersky reportyou requested
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650437

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice