Micro av virus new to game - Free Antivirus Forum

Micro av virus new to game

BullGuard Antivirus Forum > Virus Removal > Removal Help > Micro av virus new to game

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

ben449
New Member

Date Joined Oct 2008
Total Posts : 5

Posted 10-2-2008 1:03 (GMT +1)

hi. i have followed the instructions on the other threads and have gotten to this piont.

help will be greatly appriciated thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:55 PM, on 2/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Windows\System32\YUR74E1.exe
C:\Windows\System32\YUR7944.exe
C:\Windows\System32\YUR7B95.exe
C:\Windows\System32\YURFAA3.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [\YUR74E1.exe] C:\Windows\system32\YUR74E1.exe
O4 - HKLM\..\Run: [\YUR75DA.exe] C:\Windows\system32\YUR75DA.exe
O4 - HKLM\..\Run: [\YUR7944.exe] C:\Windows\system32\YUR7944.exe
O4 - HKLM\..\Run: [\YUR7B95.exe] C:\Windows\system32\YUR7B95.exe
O4 - HKLM\..\Run: [\YURFAA3.exe] C:\Windows\system32\YURFAA3.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nnNHxXpM.dll,#1
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [pep] c:\WINDOWS\system32\pep.exe
O4 - HKCU\..\Run: [\YUR74E1.exe] C:\Windows\system32\YUR74E1.exe
O4 - HKCU\..\Run: [\YUR75DA.exe] C:\Windows\system32\YUR75DA.exe
O4 - HKCU\..\Run: [\YUR7944.exe] C:\Windows\system32\YUR7944.exe
O4 - HKCU\..\Run: [\YUR7B95.exe] C:\Windows\system32\YUR7B95.exe
O4 - HKCU\..\Run: [\YURFAA3.exe] C:\Windows\system32\YURFAA3.exe
O4 - HKCU\..\Run: [\YUR21E1.exe] C:\Windows\system32\YUR21E1.exe
O4 - HKCU\..\Run: [\YUR223F.exe] C:\Windows\system32\YUR223F.exe
O4 - HKCU\..\Run: [\YUR21F1.exe] C:\Windows\system32\YUR21F1.exe
O4 - HKCU\..\Run: [\YURD69F.exe] C:\Windows\system32\YURD69F.exe
O4 - HKCU\..\Run: [\YURC88C.exe] C:\Windows\system32\YURC88C.exe
O4 - HKCU\..\Run: [\YURDD24.exe] C:\Windows\system32\YURDD24.exe
O4 - HKCU\..\Run: [\YURE0CC.exe] C:\Windows\system32\YURE0CC.exe
O4 - HKCU\..\Run: [\YURDBDD.exe] C:\Windows\system32\YURDBDD.exe
O4 - HKCU\..\Run: [\YURF65F.exe] C:\Windows\system32\YURF65F.exe
O4 - HKCU\..\Run: [\YUR8A64.exe] C:\Windows\system32\YUR8A64.exe
O4 - HKCU\..\Run: [\YUR8A63.exe] C:\Windows\system32\YUR8A63.exe
O4 - HKCU\..\Run: [\YURAAFD.exe] C:\Windows\system32\YURAAFD.exe
O4 - HKCU\..\Run: [\YURD577.exe] C:\Windows\system32\YURD577.exe
O4 - HKCU\..\Run: [\YUR9C0.exe] C:\Windows\system32\YUR9C0.exe
O4 - HKCU\..\Run: [\YUR7982.exe] C:\Windows\system32\YUR7982.exe
O4 - HKCU\..\Run: [\YUR91D3.exe] C:\Windows\system32\YUR91D3.exe
O4 - HKCU\..\Run: [\YUR7A3D.exe] C:\Windows\system32\YUR7A3D.exe
O4 - HKCU\..\Run: [\YURD9F9.exe] C:\Windows\system32\YURD9F9.exe
O4 - HKCU\..\Run: [\YURF881.exe] C:\Windows\system32\YURF881.exe
O4 - HKCU\..\Run: [\YURBA81.exe] C:\Windows\system32\YURBA81.exe
O4 - HKCU\..\Run: [\YUR8F69.exe] C:\Windows\system32\YUR8F69.exe
O4 - HKCU\..\Run: [\YUREB86.exe] C:\Windows\system32\YUREB86.exe
O4 - HKCU\..\Run: [\YUREB87.exe] C:\Windows\system32\YUREB87.exe
O4 - HKCU\..\Run: [\YURF546.exe] C:\Windows\system32\YURF546.exe
O4 - HKCU\..\Run: [\YUREDF6.exe] C:\Windows\system32\YUREDF6.exe
O4 - HKCU\..\Run: [\YUR68DF.exe] C:\Windows\system32\YUR68DF.exe
O4 - HKCU\..\Run: [\YUR5CA.exe] C:\Windows\system32\YUR5CA.exe
O4 - HKCU\..\Run: [\YURF537.exe] C:\Windows\system32\YURF537.exe
O4 - HKCU\..\Run: [\YURF7E5.exe] C:\Windows\system32\YURF7E5.exe
O4 - HKCU\..\Run: [\YUR737A.exe] C:\Windows\system32\YUR737A.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 15301 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 10-2-2008 6:29 (GMT +1)

Hello

Download this program: http://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic:

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ben449
New Member

Date Joined Oct 2008
Total Posts : 5

Posted 10-3-2008 4:28 (GMT +1)

thank you mate i appriciate your help so far

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 6.0.6000

3/10/2008 12:04:45 AM
mbam-log-2008-10-03 (00-04-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 129719
Time elapsed: 1 hour(s), 35 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 43
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur74e1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur75da.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7944.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7b95.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfaa3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur74e1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur75da.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7944.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7b95.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfaa3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21e1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur223f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21f1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd69f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc88c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurdd24.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yure0cc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurdbdd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf65f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8a64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8a63.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yuraafd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd577.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur9c0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7982.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur91d3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7a3d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd9f9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf881.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurba81.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8f69.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yureb86.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yureb87.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf546.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yuredf6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur68df.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5ca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf537.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf7e5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur737a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurff48.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8858.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\awTLccCT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hggfgEuR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR74E1.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\YUR75DA.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR7944.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\YUR7B95.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\YURFAA3.exe (Trojan.Agent) -> Delete on reboot.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

ben449
New Member

Date Joined Oct 2008
Total Posts : 5

Posted 10-4-2008 3:27 (GMT +1)

ok i have just gotten to the piont where i had run the combofix scan im unsure if it had finished or not due to no watching it, then computer began to restart it self and got to the piont where it couldnt start back up for some reason. it managed to start back up after it fixed the problem apparently. it had removed all the programs that where used to do the scans and all the logs have dissapeard, some how brought back micro av on the desk top and is now running slower than ever. do i attempt to re-do the scans or try something eles? i noticed a difference in the computer after running a couple untill it crashed??

your help is very appriciated thank you.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 10-4-2008 1:17 (GMT +1)

Upddate Malwarebytes' Anti-Malware, andrun a complete scan, then ->

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply, along with malwarebyte log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ben449
New Member

Date Joined Oct 2008
Total Posts : 5

Posted 10-12-2008 12:48 (GMT +1)

sorry mate ihave been working away the last week so havent been able to get onto the computer but any way heres my logs

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 6.0.6000

4/10/2008 12:48:11 PM
mbam-log-2008-10-04 (12-48-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 126798
Time elapsed: 1 hour(s), 39 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 37
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur74e1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur75da.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7944.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7b95.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfaa3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur74e1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur75da.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7944.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7b95.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfaa3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21e1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur223f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21f1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd69f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc88c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurdd24.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yure0cc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurdbdd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf65f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8a64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8a63.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yuraafd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd577.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur9c0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7982.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur91d3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7a3d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurd9f9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf881.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurba81.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8f69.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yureb86.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yureb87.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf546.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yuredf6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur68df.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MicroAV\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Windows\System32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR74E1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR75DA.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR7944.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR7B95.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\YURFAA3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\urQjHwxu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\awTLccCT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hggfgEuR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Users\user\Desktop\Micro Antivirus 2009.lnk (Rogue.XPertAntivirus) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:07 PM, on 4/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: TSToolbarBHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [pep] c:\WINDOWS\system32\pep.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10390 bytes

ComboFix 08-10-04.07 - user 2008-10-05 11:52:10.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.274 [GMT 8:00]
Running from: C:\Users\user\Desktop\FIX\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 21:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-10-04 21:17 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-10-04 21:17 --------- d-----w C:\Program Files\CCleaner
2008-10-04 05:28 --------- d-----w C:\ProgramData\Yahoo! Companion
2008-10-04 04:56 --------- d---a-w C:\ProgramData\TEMP
2008-10-03 07:24 --------- d-----w C:\Program Files\Yahoo!
2008-10-02 14:24 --------- d-----w C:\Users\user\AppData\Roaming\Malwarebytes
2008-10-02 14:24 --------- d-----w C:\ProgramData\Malwarebytes
2008-10-02 11:51 --------- d-----w C:\Program Files\Trend Micro
2008-10-01 15:18 --------- d-----w C:\Users\user\AppData\Roaming\uTorrent
2008-10-01 13:33 --------- d-----w C:\Users\user\AppData\Roaming\PC Tools
2008-10-01 12:51 --------- d-----w C:\ProgramData\Trend Micro
2008-09-27 02:12 --------- d-----w C:\Program Files\Xvid
2008-09-25 07:16 --------- d-----w C:\Program Files\Google
2008-09-20 05:25 41,763 ----a-w C:\Windows\System32\pep.exe
2008-09-10 11:39 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 16:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-09 16:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-09-06 12:00 --------- d-----w C:\Users\user\AppData\Roaming\toshiba
2008-09-06 10:35 --------- d-----w C:\Users\user\AppData\Roaming\Intel
2008-09-05 03:45 --------- d--h--w C:\ProgramData\CanonBJ
2008-09-03 01:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-03 01:52 --------- d-----w C:\Program Files\Game Copy Pro
2008-09-02 17:04 268,800 ----a-w C:\Windows\System32\es.dll
2008-09-01 17:53 174 --sha-w C:\Program Files\desktop.ini
2008-09-01 17:48 --------- d-----w C:\Program Files\Windows Sidebar
2008-09-01 17:48 --------- d-----w C:\Program Files\Windows Mail
2008-09-01 17:48 --------- d-----w C:\Program Files\Windows Defender
2008-09-01 17:48 --------- d-----w C:\Program Files\Windows Calendar
2008-09-01 17:37 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-09-01 17:37 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-09-01 17:37 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-09-01 17:35 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-09-01 17:35 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-09-01 17:31 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-09-01 17:31 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-09-01 17:31 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-09-01 17:30 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-09-01 17:29 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-09-01 17:29 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-09-01 17:29 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-09-01 17:29 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-09-01 17:28 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-09-01 17:28 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-09-01 17:28 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-09-01 17:28 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-09-01 17:28 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-09-01 17:28 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-09-01 17:28 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-09-01 17:28 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-09-01 17:28 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-09-01 17:26 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-09-01 17:26 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-09-01 17:26 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-09-01 17:26 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-09-01 17:26 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-09-01 17:26 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-09-01 17:26 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-09-01 17:26 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-09-01 17:25 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-09-01 17:25 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-09-01 17:23 797,696 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-09-01 17:23 6,917,120 ----a-w C:\Windows\System32\NlsLexicons0c1a.dll
2008-09-01 17:23 4,493,312 ----a-w C:\Windows\System32\NlsData0816.dll
2008-09-01 17:23 4,493,312 ----a-w C:\Windows\System32\NlsData0416.dll
2008-09-01 17:23 4,493,312 ----a-w C:\Windows\System32\NlsData0414.dll
2008-09-01 17:23 1,963,520 ----a-w C:\Windows\System32\NlsData0c1a.dll
2008-09-01 17:23 1,963,520 ----a-w C:\Windows\System32\NlsData081a.dll
2008-09-01 17:23 1,963,520 ----a-w C:\Windows\System32\NlsData000f.dll
2008-09-01 17:20 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-09-01 17:20 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-09-01 17:20 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-09-01 17:20 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-09-01 17:18 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-09-01 17:18 595,456 ----a-w C:\Windows\System32\schedsvc.dll
2008-09-01 17:18 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-09-01 17:18 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-09-01 17:18 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-09-01 17:18 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-09-01 17:18 35,328 ----a-w C:\Windows\System32\dispci.dll
2008-09-01 17:18 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-09-01 17:18 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-09-01 17:18 12,800 ----a-w C:\Windows\System32\batt.dll
2008-09-01 17:16 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2008-09-01 17:16 13,312 ----a-w C:\Windows\system32\drivers\sffdisk.sys
2008-09-01 17:16 12,800 ----a-w C:\Windows\system32\drivers\sffp_sd.sys
2008-09-01 17:15 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-09-01 17:15 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-09-01 17:15 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-09-01 17:15 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-09-01 17:15 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-09-01 17:14 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-09-01 17:14 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-09-01 17:14 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-09-01 17:14 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-09-01 17:14 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-09-01 17:14 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-09-01 17:14 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-09-01 17:14 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-09-01 17:14 186,368 ----a-w C:\Windows\System32\SLLUA.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-04_13.52.38.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-05 03:57:44 229,264 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-10-04 05:45:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-05 03:58:48 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-10-04 05:45:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-10-05 03:58:48 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-10-04 05:46:33 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-10-05 04:00:09 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-10-04 05:46:33 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-10-05 04:00:09 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-10-05 04:00:09 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-10-04 21:17:37 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-10-05 03:52:05 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-10-04 05:24:00 108,526 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-10-04 05:52:05 108,526 ----a-w C:\Windows\System32\perfc009.dat
- 2008-10-04 05:24:00 623,342 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-10-04 05:52:05 623,342 ----a-w C:\Windows\System32\perfh009.dat
- 2008-10-04 01:51:46 2,580 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-10-05 03:57:45 2,580 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 14:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 14:03 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-09-02 1232896]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-04-21 430080]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"pep"="c:\WINDOWS\system32\pep.exe" [2008-09-20 41763]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-04 865840]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"RegKillElbyCheck"="C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2001-12-06 45056]
"RegKillTray"="C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-04-13 49152]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-09-10 1253040]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-02-28 2756608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 13:50 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{419DE1E0-7C13-44A4-BB85-4BCFB09A0A25}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{7D7598DB-B0D4-4346-A058-EF4FC759A326}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{558C1303-C8CE-4C07-A5D7-5F0D049C273D}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{D37030FB-9235-400E-8BB9-7C3E5D2086F5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{4FDE5902-FDB3-4077-BA7F-3F8D64236AFA}C:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= UDP:C:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime
"UDP Query User{AC15CF09-D86A-4157-BF05-18F820345B19}C:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= TCP:C:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime
"{407DDAF4-7E8D-4074-9612-7A6378C33F80}"= UDP:C:\Windows\System32\mpxa.exe:mpxa
"{92A4D702-E4A2-4384-BE1A-0C81AE0E20C3}"= TCP:C:\Windows\System32\mpxa.exe:mpxa

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys [2008-02-15 141840]
R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys [2008-02-15 234512]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-05-16 2602496]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
R3 RegKill;RegKill;C:\Windows\system32\Drivers\RegKill.sys [2002-03-10 6144]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-01-10 221696]
.
Contents of the 'Scheduled Tasks' folder

2008-09-01 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 09:20]
.
.
------- Supplementary Scan -------
.
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 12:01:13
Windows 6.0.6000 NTFS

scanning hidden processes ...

C:\Windows\System32\dllhost.exe [2484] 0x847861E8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\System32\agrsmsvc.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
.
**************************************************************************
.
Completion time: 2008-10-05 12:08:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-05 04:07:52
ComboFix2.txt 2008-10-04 05:54:14

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 18,429,714,432 bytes free

280 --- E O F --- 2008-09-26 09:19:55

thank you for your help so far

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 10-12-2008 2:32 (GMT +1)

Please upload and have these files scanned:

C:\Windows\System32\dllhost.exe

C:\Windows\System32\pep.exe

Here:

http://virusscan.jotti.org/

Or here-

http://www.virustotal.com/en/indexf.html

Post back the results

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ben449
New Member

Date Joined Oct 2008
Total Posts : 5

Posted 10-12-2008 2:55 (GMT +1)

AhnLab-V3	2008.10.10.1	2008.10.10	-
AntiVir	7.8.1.34	2008.10.11	-
Authentium	5.1.0.4	2008.10.11	-
Avast	4.8.1248.0	2008.10.11	-
AVG	8.0.0.161	2008.10.11	-
BitDefender	7.2	2008.10.12	-
CAT-QuickHeal	9.50	2008.10.11	-
ClamAV	0.93.1	2008.10.12	-
DrWeb	4.44.0.09170	2008.10.12	-
eSafe	7.0.17.0	2008.10.12	-
eTrust-Vet	31.6.6139	2008.10.09	-
Ewido	4.0	2008.10.12	-
F-Prot	4.4.4.56	2008.10.11	-
Fortinet	3.113.0.0	2008.10.12	-
GData	19	2008.10.12	-
Ikarus	T3.1.1.34.0	2008.10.12	-
K7AntiVirus	7.10.491	2008.10.11	-
Kaspersky	7.0.0.125	2008.10.12	-
McAfee	5403	2008.10.11	-
Microsoft	1.4005	2008.10.12	-
NOD32	3515	2008.10.11	-
Norman	5.80.02	2008.10.10	W32/Renos.AUD.dropper
Panda	9.0.0.4	2008.10.12	-
PCTools	4.4.2.0	2008.10.12	-
Rising	20.65.42.00	2008.10.10	-
SecureWeb-Gateway	6.7.6	2008.10.11	-
Sophos	4.34.0	2008.10.12	-
Sunbelt	3.1.1716.1	2008.10.12	-
Symantec	10	2008.10.12	-
TheHacker	6.3.1.0.108	2008.10.11	-
TrendMicro	8.700.0.1004	2008.10.10	-
VBA32	3.12.8.6	2008.10.12	suspected of Corrupted.Win32File (entry point in import table)
ViRobot	2008.10.10.1416	2008.10.10	-
VirusBuster	4.5.11.0	2008.10.11	-

Additional information

File size: 41763 bytes

MD5...: 6983debe768648ed995b0902e4880874

SHA1..: 7694bdc6e1de0cb28349ee25ba5872f5ac290003

SHA256: 138ac0cb893cf4402431d4835ffe85b837717f48b484b9adbb5af8c1d853e3f6

SHA512: 1157581ab2ee582a027c18a4cb095efd75fdba120dc98e616c23ad49ea2236b0
c0020e8e128c886f55e8cd7cc4c2633020b809f0b77c05b5b67873565a020b31

PEiD..: -

TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4030e3
timedatestamp.....: 0x4878f231 (Sat Jul 12 18:04:33 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5b68 0x5c00 6.49 6bfa289fc453f683cf6ad42723acbb61
.rdata 0x7000 0x129c 0x1400 5.05 165e3e874dc59c8a96748c6f4d0f4207
.data 0x9000 0x25c58 0x400 4.77 78a50275610b8d77577a9aaa1957d1b6
.ndata 0x2f000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x38000 0x6c8 0x800 2.92 af2063e112f61c1136b3f5784e131084

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )

Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 41763 bytes.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\.
* Creates file C:\WINDOWS\TEMP\nsr8199.tmp.
* Deletes file C:\WINDOWS\TEMP\nsr8199.tmp.
* Creates file C:\WINDOWS\TEMP\nsz0099.tmp.
* Deletes file C:\WINDOWS\TEMP\nsz0099.tmp.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\nsz0099.tmp.
* Creates file C:\WINDOWS\TEMP\nsz0099.tmp\InetLoad.dll.
* Creates file C:\WINDOWS\a.

[ Changes to registry ]
* Creates value \"pep\"=\"c:\WINDOWS\system32\pep.exe\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\".

[ Network services ]
* Connects to \"www.elistan.com\" on port 80 (TCP).
* Opens URL: www.elistan.com/ho.phpSSjSWh.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Creates a dialogbox with caption \"InetLoad plug-in\".
* .

[ Signature Scanning ]
* C:\WINDOWS\TEMP\nsz0099.tmp\InetLoad.dll (18944 bytes) : W32/Renos.AUD.

AhnLab-V3	2008.10.10.1	2008.10.10	-
AntiVir	7.8.1.34	2008.10.11	-
Authentium	5.1.0.4	2008.10.11	-
Avast	4.8.1248.0	2008.10.11	-
AVG	8.0.0.161	2008.10.11	-
BitDefender	7.2	2008.10.12	-
CAT-QuickHeal	9.50	2008.10.11	-
ClamAV	0.93.1	2008.10.12	-
DrWeb	4.44.0.09170	2008.10.12	-
eSafe	7.0.17.0	2008.10.12	-
eTrust-Vet	31.6.6141	2008.10.10	-
Ewido	4.0	2008.10.12	-
F-Prot	4.4.4.56	2008.10.11	-
F-Secure	8.0.14332.0	2008.10.12	-
Fortinet	3.113.0.0	2008.10.12	-
GData	19	2008.10.12	-
Ikarus	T3.1.1.34.0	2008.10.12	-
K7AntiVirus	7.10.491	2008.10.11	-
Kaspersky	7.0.0.125	2008.10.12	-
McAfee	5403	2008.10.11	-
Microsoft	1.4005	2008.10.12	-
NOD32	3515	2008.10.11	-
Norman	5.80.02	2008.10.10	-
Panda	9.0.0.4	2008.10.12	-
PCTools	4.4.2.0	2008.10.12	-
Prevx1	V2	2008.10.12	-
Rising	20.65.42.00	2008.10.10	-
SecureWeb-Gateway	6.7.6	2008.10.11	-
Sophos	4.34.0	2008.10.12	-
Sunbelt