Trojan Horse - HELP PLEASE

Hello Serendipity :) Welcome to The Forums. My name is Rahina Rescue and I will be handling your log to help you get cleaned up.

Please give me some time to look it over and I will get back to you as soon as possible.

Step #1

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download CWShredder to its own folder.

Open CWShredder.exe and click the Check For Update button.
After downloading any necessary updated, please close the program.

Step #2

Please download Brute Force Uninstaller to your desktop.

• Right-click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk ( C: ) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download SideKickFix.
Save it in the same folder you made earlier (c:\BFU). ( Do not Run Bat file yet !)

Step #3

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step #4

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder again, by doubling clicking on the program you downloaded earlier.
Click "Fix" and then "Next", let it fix everything it asks about.

Please close ALL other open folder's, then double-click on sidekickFix.bat.
Click YES and follow the prompts, when prompted to restart the PC please do so.

Step #5

Next, Please download Combofix to your desktop.

• Double click on Combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step #6

In your next reply to this thread please post:

• Smitfraudfix Report.txt
• Combofix Report
• Hijackthis Logfile

Hello Serendipity :) Welcome to The Forums. My name is Rahina Rescue and I will be handling your log to help you get cleaned up.

Please give me some time to look it over and I will get back to you as soon as possible.

THANKS SO MUCH, Rahina Rescue! You are a ray of hope!

Step #1

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download CWShredder to its own folder.

Open CWShredder.exe and click the Check For Update button.
After downloading any necessary updated, please close the program.

Step #2

Please download Brute Force Uninstaller to your desktop.

• Right-click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk ( C: ) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download SideKickFix.
Save it in the same folder you made earlier (c:\BFU). ( Do not Run Bat file yet !)

Step #3

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step #4

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder again, by doubling clicking on the program you downloaded earlier.
Click "Fix" and then "Next", let it fix everything it asks about.

Please close ALL other open folder's, then double-click on sidekickFix.bat.
Click YES and follow the prompts, when prompted to restart the PC please do so.

Step #5

Next, Please download Combofix to your desktop.

• Double click on Combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step #6

In your next reply to this thread please post:

• Smitfraudfix Report.txt
• Combofix Report
• Hijackthis Logfile

DID EVERYTHING AS DIRECTED. 3 REPORTS FOLLOW:

SmitFraudFix v2.179
Scan done at 13:12:13.79, Thu 05/10/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner\Application Data\U3\00001779A961EA95\LaunchPad.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\accesss.exe FOUND !
C:\WINDOWS\adware-sheriff-box.gif FOUND !
C:\WINDOWS\adware-sheriff-header.gif FOUND !
C:\WINDOWS\antispylab-logo.gif FOUND !
C:\WINDOWS\about_spyware_bg.gif FOUND !
C:\WINDOWS\about_spyware_bottom.gif FOUND !
C:\WINDOWS\as.gif FOUND !
C:\WINDOWS\as_header.gif FOUND !
C:\WINDOWS\astctl32.ocx FOUND !
C:\WINDOWS\avpcc.dll FOUND !
C:\WINDOWS\bg.gif FOUND !
C:\WINDOWS\big_red_x.gif FOUND !
C:\WINDOWS\blue-bg.gif FOUND !
C:\WINDOWS\box_1.gif FOUND !
C:\WINDOWS\box_2.gif FOUND !
C:\WINDOWS\box_3.gif FOUND !
C:\WINDOWS\button_buynow.gif FOUND !
C:\WINDOWS\button_freescan.gif FOUND !
C:\WINDOWS\buy-now-btn.gif FOUND !
C:\WINDOWS\close-bar.gif FOUND !
C:\WINDOWS\clrssn.exe FOUND !
C:\WINDOWS\corner-left.gif FOUND !
C:\WINDOWS\corner-right.gif FOUND !
C:\WINDOWS\cpan.dll FOUND !
C:\WINDOWS\dialup.exe FOUND !
C:\WINDOWS\download_box.gif FOUND !
C:\WINDOWS\facts.gif FOUND !
C:\WINDOWS\features.gif FOUND !
C:\WINDOWS\footer.giff FOUND !
C:\WINDOWS\footer_back.gif FOUND !
C:\WINDOWS\footer_back.jpg FOUND !
C:\WINDOWS\free-scan-btn.gif FOUND !
C:\WINDOWS\h-line-gradient.gif FOUND !
C:\WINDOWS\header_1.gif FOUND !
C:\WINDOWS\header_2.gif FOUND !
C:\WINDOWS\header_3.gif FOUND !
C:\WINDOWS\header_4.gif FOUND !
C:\WINDOWS\header-bg.gif FOUND !
C:\WINDOWS\inetdctr.dll FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\info.gif FOUND !
C:\WINDOWS\main_back.gif FOUND !
C:\WINDOWS\no-icon.gif FOUND !
C:\WINDOWS\notepad32.exe FOUND !
C:\WINDOWS\olehelp.exe FOUND !
C:\WINDOWS\reg-freeze-box.gif FOUND !
C:\WINDOWS\reg-freeze-header.gif FOUND !
C:\WINDOWS\remove-spyware-btn.gif FOUND !
C:\WINDOWS\rf.gif FOUND !
C:\WINDOWS\rf_header.gif FOUND !
C:\WINDOWS\runwin32.exe FOUND !
C:\WINDOWS\scan_btn.gif FOUND !
C:\WINDOWS\security-center-bg.gif FOUND !
C:\WINDOWS\security-center-logo.gif FOUND !
C:\WINDOWS\security_center_caption.gif FOUND !
C:\WINDOWS\sep_hor.gif FOUND !
C:\WINDOWS\sep_vert.gif FOUND !
C:\WINDOWS\spp3.dll FOUND !
C:\WINDOWS\spacer.gif FOUND !
C:\WINDOWS\spyware-detected.gif FOUND !
C:\WINDOWS\spyware-sheriff-header.gif FOUND !
C:\WINDOWS\spyware-sheriff-box.gif FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\star-grey.gif FOUND !
C:\WINDOWS\star_gray.gif FOUND !
C:\WINDOWS\star_gray_small.gif FOUND !
C:\WINDOWS\star_small.gif FOUND !
C:\WINDOWS\systeem.exe FOUND !
C:\WINDOWS\systemcritical.exe FOUND !
C:\WINDOWS\time.exe FOUND !
C:\WINDOWS\true-stories.gif FOUND !
C:\WINDOWS\ts.gif FOUND !
C:\WINDOWS\ts_header.gif FOUND !
C:\WINDOWS\users32.exe FOUND !
C:\WINDOWS\v.gif FOUND !
C:\WINDOWS\waol.exe FOUND !
C:\WINDOWS\warning_icon.gif FOUND !
C:\WINDOWS\warning-bar-ico.gif FOUND !
C:\WINDOWS\win_logo.gif FOUND !
C:\WINDOWS\win-sec-center-logo.gif FOUND !
C:\WINDOWS\win32e.exe FOUND !
C:\WINDOWS\win64.exe FOUND !
C:\WINDOWS\winajbm.dll FOUND !
C:\WINDOWS\window.exe FOUND !
C:\WINDOWS\windows-compatible.gif FOUND !
C:\WINDOWS\wininet32.exe FOUND !
C:\WINDOWS\winmgnt.exe FOUND !
C:\WINDOWS\x.exe FOUND !
C:\WINDOWS\x.gif FOUND !
C:\WINDOWS\xplugin.dll FOUND !
C:\WINDOWS\y.exe FOUND !
C:\WINDOWS\yes-icon.gif FOUND !
C:\WINDOWS\yod.htm FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\anti_troj.exe FOUND !
C:\WINDOWS\system32\dload.exe FOUND !
C:\WINDOWS\system32\iewd.exe FOUND !
C:\WINDOWS\system32\kernels64.exe FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\mpsegment.exe FOUND !
C:\WINDOWS\system32\msmapi32.exe FOUND !
C:\WINDOWS\system32\msmapi32.exe.MANIFEST FOUND !
C:\WINDOWS\system32\msmsn.exe FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\netstat2.exe FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\pcf.pdf FOUND !
C:\WINDOWS\system32\perfont.exe FOUND !
C:\WINDOWS\system32\performent202.dll FOUND !
C:\WINDOWS\system32\POPCORN72.EXE FOUND !
C:\WINDOWS\system32\proqlaim.exe FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\vxgamet?.exe FOUND !
C:\WINDOWS\system32\win32hp.dll FOUND !
C:\WINDOWS\system32\winmuse.exe FOUND !
C:\WINDOWS\system32\zlbw.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.lenhartauction.com/LewisR/DSC02508.JPG"
"SubscribedURL"="http://www.lenhartauction.com/LewisR/DSC02508.JPG"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.dragbikevideos.com/images/brantley_record.jpg"
"SubscribedURL"="http://www.dragbikevideos.com/images/brantley_record.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

"Owner" - 2007-05-10 13:30:54 Service Pack 1
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Owner\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\vxgamet1.exe
C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\x.exe
C:\WINDOWS\y.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\zlbw.dll

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 ))))))))))))))))))))))))))))))))))

2007-05-10 13:13 <DIR> d-------- C:\Reply 1
2007-05-10 13:12 3,666 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-10 13:11 876,207 --a------ C:\SmitfraudFix.exe
2007-05-10 13:11 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-10 13:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-10 13:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-10 13:11 <DIR> d-------- C:\SmitfraudFix
2007-05-10 13:08 <DIR> d-------- C:\New Folder (2)
2007-05-10 13:05 <DIR> d-------- C:\CWShredder
2007-05-09 13:46 4,096 --a------ C:\WINDOWS\system32\ps.exe
2007-05-04 12:03 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-05-04 12:03 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-05-04 12:03 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-05-04 12:03 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-05-04 12:03 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-05-04 12:03 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-05-04 12:01 <DIR> d-------- C:\Program Files\McAfee.com
2007-05-04 12:01 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-05-04 12:00 <DIR> d-------- C:\Program Files\McAfee
2007-05-04 11:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-04-27 18:09 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-04-27 14:11 <DIR> d-------- C:\Program Files\RegCure
2007-04-27 14:00 <DIR> d-------- C:\Program Files\RegistryFix
2007-04-27 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-27 12:25 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-04-27 12:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-04-27 12:13 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-04-27 12:11 <DIR> d-------- C:\WINDOWS\pss
2007-04-22 18:27 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MSN6
2007-04-21 04:00 6,966 --a------ C:\WINDOWS\system32\upbaieok.exe
2007-04-13 17:07 6,857 --a------ C:\WINDOWS\system32\ctfmadte.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-10 18:29:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\U3
2007-05-10 05:25:51 -------- d-----w C:\Program Files\America Online 8.0
2007-05-09 18:55:08 4,112 -c--a-w C:\WINDOWS\mozver.dat
2007-05-07 06:07:55 -------- d-----w C:\Program Files\PokerStars
2007-04-27 23:09:13 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-27 17:22:13 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\McAfee.com Personal Firewall
2007-04-06 18:26:14 0 ----a-w C:\WINDOWS\system32\idleserv.exe
2007-03-30 17:50:25 6,959 ----a-w C:\WINDOWS\system32\igjawoau.exe
2007-03-23 16:21:54 6,911 ----a-w C:\WINDOWS\system32\ikrcbeqd.exe
2007-03-16 14:22:32 6,789 ----a-w C:\WINDOWS\system32\cfjgoanf.exe
2007-03-15 06:23:54 -------- d-----w C:\Program Files\Picasa2
2007-03-13 10:10:35 0 ----a-w C:\WINDOWS\system32\yrdqldwv.exe
2007-03-13 10:09:42 0 ----a-w C:\WINDOWS\system32\xxruegba.exe
2007-03-08 22:06:28 6,750 ----a-w C:\WINDOWS\system32\pzkcxnky.exe
2007-03-01 14:30:47 0 ----a-w C:\WINDOWS\system32\msdtc_32.exe
2007-03-01 14:30:32 0 ----a-w C:\WINDOWS\system32\user_32.dll
2007-03-01 14:30:26 6,733 ----a-w C:\WINDOWS\system32\gxrtpgck.exe
2007-02-21 15:39:52 6,707 ----a-w C:\WINDOWS\system32\qluubwub.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"="c:\program files\mcafee\virusscan\scriptcl.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"CplBTQ00"="\"C:\\Program Files\\EzButton\\CplBTQ00.EXE\""
"CeEKEY"="\"C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe\""
@=""
"LtMoh"="\"C:\\Program Files\\ltmoh\\Ltmoh.exe\""
"CpRmtKey"="\"C:\\Program Files\\Toshiba Controls\\CpRmtKey.EXE\""
"CeEPOWER"="\"C:\\Program Files\\TOSHIBA\\Power Management\\CePMTray.exe\""
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"TPNF"="\"C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe\""
"NDSTray.exe"="NDSTray.exe"
"Pinger"="\"c:\\toshiba\\ivp\\ism\\pinger.exe\" /run"
"EPSON Stylus CX6400"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2L1.EXE\" /P19 \"EPSON Stylus CX6400\" /O6 \"USB001\" /M \"Stylus CX6400\""
"IVPServiceMgr"="C:\\toshiba\\ivp\\ism\\ivpsvmgr.exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"msci"="\"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\2007423112541_mcinfo.exe\" /insfin"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.lenhartauction.com/LewisR/DSC02508.JPG
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://www.dragbikevideos.com/images/brantley_record.jpg

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{56fd25dc-cb3c-11db-ac12-00038a000015}]
Shell\AutoRun\command E:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\wrSpySweeper20060808231517.job
C:\WINDOWS\tasks\wrSpySweeper_F228863A14E349488F5F1E117C426AE1.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-10 13:34:03
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************
Completion time: 2007-05-10 13:34:09
C:\ComboFix-quarantined-files.txt ... 2007-05-10 13:34

Logfile of HijackThis v1.99.1
Scan saved at 1:39:29 PM, on 5/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Owner\Application Data\U3\00001779A961EA95\LaunchPad.exe
C:\Documents and Settings\Owner\My Documents\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CplBTQ00] "C:\Program Files\EzButton\CplBTQ00.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [EPSON Stylus CX6400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msci] "C:\DOCUME~1\Owner\LOCALS~1\Temp\2007423112541_mcinfo.exe" /insfin
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Thanks, again!

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background

FOLLOWED INSTRUCTIONS AND REPORTS FOLLOW. THANK YOU THANK YOU!!!!!

SmitFraudFix v2.179
Scan done at 14:41:27.81, Thu 05/10/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\accesss.exe Deleted
C:\WINDOWS\adware-sheriff-box.gif Deleted
C:\WINDOWS\adware-sheriff-header.gif Deleted
C:\WINDOWS\antispylab-logo.gif Deleted
C:\WINDOWS\about_spyware_bg.gif Deleted
C:\WINDOWS\about_spyware_bottom.gif Deleted
C:\WINDOWS\as.gif Deleted
C:\WINDOWS\as_header.gif Deleted
C:\WINDOWS\astctl32.ocx Deleted
C:\WINDOWS\bg.gif Deleted
C:\WINDOWS\big_red_x.gif Deleted
C:\WINDOWS\blue-bg.gif Deleted
C:\WINDOWS\box_1.gif Deleted
C:\WINDOWS\box_2.gif Deleted
C:\WINDOWS\box_3.gif Deleted
C:\WINDOWS\button_buynow.gif Deleted
C:\WINDOWS\button_freescan.gif Deleted
C:\WINDOWS\buy-now-btn.gif Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\clrssn.exe Deleted
C:\WINDOWS\corner-left.gif Deleted
C:\WINDOWS\corner-right.gif Deleted
C:\WINDOWS\cpan.dll Deleted
C:\WINDOWS\dialup.exe Deleted
C:\WINDOWS\download_box.gif Deleted
C:\WINDOWS\facts.gif Deleted
C:\WINDOWS\features.gif Deleted
C:\WINDOWS\footer.gif Deleted
C:\WINDOWS\footer_back.gif Deleted
C:\WINDOWS\footer_back.jpg Deleted
C:\WINDOWS\free-scan-btn.gif Deleted
C:\WINDOWS\h-line-gradient.gif Deleted
C:\WINDOWS\header_1.gif Deleted
C:\WINDOWS\header_2.gif Deleted
C:\WINDOWS\header_3.gif Deleted
C:\WINDOWS\header_4.gif Deleted
C:\WINDOWS\header-bg.gif Deleted
C:\WINDOWS\inetdctr.dll Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\info.gif Deleted
C:\WINDOWS\main_back.gif Deleted
C:\WINDOWS\no-icon.gif Deleted
C:\WINDOWS\olehelp.exe Deleted
C:\WINDOWS\reg-freeze-box.gif Deleted
C:\WINDOWS\reg-freeze-header.gif Deleted
C:\WINDOWS\remove-spyware-btn.gif Deleted
C:\WINDOWS\rf.gif Deleted
C:\WINDOWS\rf_header.gif Deleted
C:\WINDOWS\runwin32.exe Deleted
C:\WINDOWS\scan_btn.gif Deleted
C:\WINDOWS\security-center-bg.gif Deleted
C:\WINDOWS\security-center-logo.gif Deleted
C:\WINDOWS\security_center_caption.gif Deleted
C:\WINDOWS\sep_hor.gif Deleted
C:\WINDOWS\sep_vert.gif Deleted
C:\WINDOWS\spacer.gif Deleted
C:\WINDOWS\spp3.dll Deleted
C:\WINDOWS\spyware-detected.gif Deleted
C:\WINDOWS\spyware-sheriff-header.gif Deleted
C:\WINDOWS\spyware-sheriff-box.gif Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\star-grey.gif Deleted
C:\WINDOWS\star_gray.gif Deleted
C:\WINDOWS\star_gray_small.gif Deleted
C:\WINDOWS\star_small.gif Deleted
C:\WINDOWS\true-stories.gif Deleted
C:\WINDOWS\ts.gif Deleted
C:\WINDOWS\ts_header.gif Deleted
C:\WINDOWS\systeem.exe Deleted
C:\WINDOWS\systemcritical.exe Deleted
C:\WINDOWS\time.exe Deleted
C:\WINDOWS\users32.exe Deleted
C:\WINDOWS\v.gif Deleted
C:\WINDOWS\waol.exe Deleted
C:\WINDOWS\warning_icon.gif Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\win_logo.gif Deleted
C:\WINDOWS\win-sec-center-logo.gif Deleted
C:\WINDOWS\win32e.exe Deleted
C:\WINDOWS\win64.exe Deleted
C:\WINDOWS\winajbm.dll Deleted
C:\WINDOWS\window.exe Deleted
C:\WINDOWS\windows-compatible.gif Deleted
C:\WINDOWS\wininet32.exe Deleted
C:\WINDOWS\winmgnt.exe Deleted
C:\WINDOWS\x.gif Deleted
C:\WINDOWS\xplugin.dll Deleted
C:\WINDOWS\yes-icon.gif Deleted
C:\WINDOWS\yod.htm Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\anti_troj.exe Deleted
C:\WINDOWS\system32\dload.exe Deleted
C:\WINDOWS\system32\iewd.exe Deleted
C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\mpsegment.exe Deleted
C:\WINDOWS\system32\msmapi32.exe Deleted
C:\WINDOWS\system32\msmapi32.exe.MANIFEST Deleted
C:\WINDOWS\system32\msmsn.exe Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\netstat2.exe Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\pcf.pdf Deleted
C:\WINDOWS\system32\perfont.exe Deleted
C:\WINDOWS\system32\performent202.dll Deleted
C:\WINDOWS\system32\POPCORN72.EXE Deleted
C:\WINDOWS\system32\proqlaim.exe Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\win32hp.dll Deleted
C:\WINDOWS\system32\winmuse.exe Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 2:51:46 PM, on 5/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner\My Documents\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CplBTQ00] "C:\Program Files\EzButton\CplBTQ00.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [EPSON Stylus CX6400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msci] "C:\DOCUME~1\Owner\LOCALS~1\Temp\2007423112541_mcinfo.exe" /insfin
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I Did Try Internet And The "search" Command, But Neither Is Working Yet.

Alright, we'll continue.

Step #1

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Step #2

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, DSS will open two Notepads: main.txt and extra.txt
• Use Save As to save both Notepad files to your Desktop and post them in your next reply.

In your next reply please post:

C:\Deckard\System Scanner\Main.txt
C:\Deckard\System Scanner\Extra.txt

FOLLOWED INSTRUCTIONS....FOUND A LOT OF TROJAN FILES. REPORTS FOLLOW...

mcupdmgr.exe;c:\program files\mcafee\msc;Probably DLOADER.Trojan;Moved.;
rigbvfce.okz;c:\windows\system32;Trojan.Click.1242;Deleted.;
zlbw.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Proxy.1715;Deleted.;
Process.exe;C:\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\SmitfraudFix;Tool.ShutDown.11;Moved.;
A0048190.dll;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP595;Trojan.Proxy.1715;Deleted.;
A0048296.exe;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP596;Trojan.Packed.55;Deleted.;
A0048297.exe;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP596;Trojan.Packed.87;Deleted.;
A0048298.exe;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP596;Trojan.Packed.38;Deleted.;
A0048299.exe;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP596;Trojan.Packed.70;Deleted.;
A0048300.exe;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP596;Trojan.Packed.61;Deleted.;
A0048301.exe;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP596;Trojan.Packed.46;Deleted.;
A0048302.exe;C:\System Volume Information\_restore{B8194EE4-E65E-4AF3-B138-80272DCC4B9F}\RP596;Trojan.Packed.32;Deleted.;
cdhfymnh.exe;C:\WINDOWS\system32;Trojan.DownLoader.14309;Deleted.;
fhkjaetz.exe;C:\WINDOWS\system32;Win32.Dref;Deleted.;
fifcpjfb.pnn;C:\WINDOWS\system32;Trojan.Click.1242;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Moved.;
rciusfat.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
upbaieok.exe;C:\WINDOWS\system32;Trojan.Packed.94;Deleted.;
uwkswckh.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
yuhzfstk.exe;C:\WINDOWS\system32;Trojan.DownLoader.14309;Deleted.;
zprihmus.exe;C:\WINDOWS\system32;Trojan.DownLoader.14617;Deleted.;



Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-11 at 12:00:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
93: 2007-05-11 17:00:19 UTC - RP597 - Deckard's System Scanner Restore Point
92: 2007-05-11 05:05:25 UTC - RP596 - System Checkpoint
91: 2007-05-10 04:05:00 UTC - RP595 - Restore Operation
90: 2007-05-10 03:42:55 UTC - RP594 - Restore Operation
89: 2007-05-10 03:35:47 UTC - RP593 - Restore Operation

-- First Restore Point -- 
1: 2007-02-11 11:20:11 UTC - RP505 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:01:06 PM, on 5/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\wanmpsvc.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\MYDOCU~1\HJT\Owner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL]http://www.toshiba.com[/URL]
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CplBTQ00] "C:\Program Files\EzButton\CplBTQ00.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [EPSON Stylus CX6400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [msci] "C:\DOCUME~1\Owner\LOCALS~1\Temp\2007423112541_mcinfo.exe" /insfin
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [URL]http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab[/URL]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [URL]http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab[/URL]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) -   - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

-- File Associations -----------------------------------------------------------
[COLOR=red].cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL %1,%*[/COLOR]
[COLOR=red].cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*[/COLOR]

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcEPIOMngr - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcTPIOMngr - c:\windows\system32\drivers\tpiomngr.sys
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 MDC8021X (WPA Security Protocol (IEEE 802.1x) v2.2.0.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R3 EPOWER (Compal E-POWER Driver) - c:\windows\system32\drivers\hkdrv.sys <Not Verified; Compal Electronic Inc.; EPOWER>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>
S2 RIGBVFCE - c:\windows\system32\rigbvfce.okz (file missing)
S3 C-Dilla - c:\windows\system32\drivers\cdant.sys <Not Verified; Macrovision; Licence Management System>
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Driver>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth USB Miniport Driver(Windows2000,WindowsXP)>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 C-DillaSrv - c:\windows\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe"
S3 mcmispupdmgr (McAfee Update Manager) - c:\progra~1\mcafee\msc\mcupdmgr.exe (file missing)
S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>

-- Scheduled Tasks -------------------------------------------------------------
2007-05-11 11:57:00       412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-05-11 11:54:30       438 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2007-05-11 04:00:04      1510 --a------ C:\WINDOWS\Tasks\wrSpySweeper_F228863A14E349488F5F1E117C426AE1.job
2007-05-10 13:04:04       372 --a------ C:\WINDOWS\Tasks\RegCure.job
2007-05-06 00:00:03      1898 --a------ C:\WINDOWS\Tasks\wrSpySweeper20060808231517.job
2007-05-04 12:02:10       350 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2007-05-04 12:02:08       352 --a------ C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2007-04-11 and 2007-05-11 -----------------------------
2007-05-11 10:01:51         0 d-------- C:\Documents and Settings\Owner\DoctorWeb
2007-05-10 13:13:28         0 d-------- C:\Reply 1
2007-05-10 13:12:26      3674 --a------ C:\WINDOWS\System32\tmp.reg
2007-05-10 13:11:51    288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-05-10 13:11:51     51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-05-10 13:11:45         0 d-------- C:\SmitfraudFix
2007-05-10 13:11:29    876207 --a------ C:\SmitfraudFix.exe
2007-05-10 13:08:21         0 d-------- C:\New Folder (2)
2007-05-10 13:05:54         0 d-------- C:\CWShredder
2007-05-09 13:46:29      4096 --a------ C:\WINDOWS\System32\ps.exe
2007-05-04 12:01:31         0 d-------- C:\Program Files\McAfee.com
2007-05-04 12:01:13         0 d-------- C:\Program Files\Common Files\McAfee
2007-05-04 12:00:59         0 d-------- C:\Program Files\McAfee
2007-05-04 11:55:22         0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-04-27 18:09:14         0 d-------- C:\Program Files\Full Tilt Poker
2007-04-27 14:11:32         0 d-------- C:\Program Files\RegCure
2007-04-27 14:00:38         0 d-------- C:\Program Files\RegistryFix
2007-04-27 12:30:19         0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-04-27 12:25:24         0 d-------- C:\Documents and Settings\Owner\Application Data\Talkback
2007-04-27 12:22:16         0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-04-27 12:13:56         0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-04-27 12:11:49         0 d-------- C:\WINDOWS\pss
2007-04-22 18:27:53         0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6

-- Find3M Report ---------------------------------------------------------------
2007-05-11 11:59:26         0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-05-10 00:25:51         0 d-------- C:\Program Files\America Online 8.0
2007-05-09 13:55:08      4112 --a----c- C:\WINDOWS\mozver.dat
2007-05-07 01:07:55         0 d-------- C:\Program Files\PokerStars
2007-04-27 18:09:13         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-27 12:22:13         0 d-------- C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall
2007-04-06 13:26:14         0 --a------ C:\WINDOWS\System32\idleserv.exe
2007-03-15 01:23:54         0 d-------- C:\Program Files\Picasa2
2007-03-13 05:10:35         0 --a------ C:\WINDOWS\System32\yrdqldwv.exe
2007-03-13 05:09:42         0 --a------ C:\WINDOWS\System32\xxruegba.exe
2007-03-01 09:30:47         0 --a------ C:\WINDOWS\System32\msdtc_32.exe
2007-03-01 09:30:32         0 --a------ C:\WINDOWS\System32\user_32.dll

-- Registry Dump ---------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"CplBTQ00"="\"C:\\Program Files\\EzButton\\CplBTQ00.EXE\""
"CeEKEY"="\"C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe\""
@=""
"LtMoh"="\"C:\\Program Files\\ltmoh\\Ltmoh.exe\""
"CpRmtKey"="\"C:\\Program Files\\Toshiba Controls\\CpRmtKey.EXE\""
"CeEPOWER"="\"C:\\Program Files\\TOSHIBA\\Power Management\\CePMTray.exe\""
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"TPNF"="\"C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe\""
"NDSTray.exe"="NDSTray.exe"
"Pinger"="\"c:\\toshiba\\ivp\\ism\\pinger.exe\" /run"
"EPSON Stylus CX6400"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2L1.EXE\" /P19 \"EPSON Stylus CX6400\" /O6 \"USB001\" /M \"Stylus CX6400\""
"IVPServiceMgr"="C:\\toshiba\\ivp\\ism\\ivpsvmgr.exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"msci"="\"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\2007423112541_mcinfo.exe\" /insfin"
"SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe /startintray"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages REG_MULTI_SZ    msv1_0\0\0
   Security Packages REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0\0
   Notification Packages REG_MULTI_SZ    scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ    Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ    DnsCache\0\0
rpcss REG_MULTI_SZ    RpcSs\0\0
imgsvc REG_MULTI_SZ    StiSvc\0\0
termsvcs REG_MULTI_SZ    TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{56fd25dc-cb3c-11db-ac12-00038a000015}]
Shell\AutoRun\command E:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2007-05-11 at 12:01:38 ---------


Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 510.98 MiB / 221.5 MiB
Pagefile Memory (total/avail): 1249.79 MiB / 962.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1986.9 MiB
C: is Fixed (NTFS) - 74.53 GiB total, 64.68 GiB free. 
D: is CDROM (No Media)

-- Security Center -------------------------------------------------------------
AUOptions is not configured.
AUState says computer is in an unknown state.
Windows Internal Firewall is enabled.

-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TOSHIBA-USER
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\TOSHIBA-USER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=TOSHIBA-USER
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------
Owner [I](admin)[/I]

-- Add/Remove Programs ---------------------------------------------------------
 --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
 --> C:\Program Files\Installshield Installation Information\{08082021-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082021-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
 --> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11E83B33-972B-4512-A447-FF0FD0246EE9}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BFBC62A-3353-443D-93BE-7AC641D9F342}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C1B8CBC-9118-11D7-86D3-00055DF3561E}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B100B05B-E290-41EF-9366-8BC4C76D7769}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9 
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Illustrator 7.0 --> C:\WINDOWS\uninst.exe -f"C:\Adobe\Illustrator 7.0\DeIsL1.isu"
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20020929.1) --> C:\WINDOWS\AolCInUn.exe
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66C8BE35-8BBB-472B-96C7-C7C9A499F988}\Setup.exe" -l0x9 
AT&T Connection Services Manager --> C:\WINDOWS\WNBackup\WnClient62\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient62\install.log "AT&T Connection Services Manager"
Atheros Client Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E46F23-8DFB-4993-895E-80D95FEE6E86}\setup.exe" -l0x9 
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
C-Dilla Licence Management System --> C:\C_DILLA\setup\cdunin16.exe
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Drag'n Drop CD+DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDC146FA-73E0-4FA1-A353-841EA14BF600}\Setup.exe" -l0x9 deleteall
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
Easy Button --> C:\WINDOWS\UnInst32.exe CplBTQ00.UNI
EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON Copy Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON ES CX6400 Manual --> C:\Program Files\epson\guide\cx6400_e\uninstall.exe
EPSON Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B53B71D-9E2F-42B8-9123-96354872D166}\setup.exe" -l0x9 MyUninstall
EPSON PhotoStarter3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5983C895-DDA4-45D9-A8D1-877D5DE7693E}\Setup.exe" -l0x9 uninst
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0131B2-CF18-40D9-A331-60A3746C1204}\Setup.exe" -l0x9 UNINSTALL
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\Setup.exe" -l0x9 Uninstall
Full Tilt Poker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9  -removeonly
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9  -removeonly
Google Pack Screensaver --> C:\WINDOWS\Google Pack Screensaver Uninstaller.exe
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 1.99.1 --> C:\Documents and Settings\Owner\My Documents\HJT\HijackThis.exe /uninstall
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Mozilla Firefox (2.0.0.3) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Notebook Maximizer --> C:\WINDOWS\iun506.exe C:\Program Files\Notebook Maximizer\irunin.ini
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvct.inf
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PokerStars --> C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
QuickBooks 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intuit\QuickBooks\DeIsL1.isu" -c"C:\Program Files\Intuit\QuickBooks\removeqb.dll"
QuickBooks Basic Edition 2004 --> C:\Program Files\Installshield Installation Information\{2b02f821-a9b9-458c-80e5-3ea8c0de8471}\QBReplace.exe {2b02f821-a9b9-458c-80e5-3ea8c0de8471}#{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471}
QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{054C3038-FFAC-446D-9682-E25891DC2E05}
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Realtek Fast Ethernet Adapter Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe" -l0x9 REMOVE
RegCure 1.3.0.2 --> C:\Program Files\RegCure\uninst.exe
RegistryFix v6.2 --> "C:\Program Files\RegistryFix\unins000.exe"
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SMSC IrCC Driver V5.1.2462.0 (WinXP) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC86822D-3A20-11D5-801B-00E029348F40}\Setup.exe" 
Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80D95911-28E9-40AC-A6B5-1DA6D9F14B29}\Setup.exe" -l0x9 
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
SurfHere by Toshiba --> MsiExec.exe /X{A962C8E1-4F0B-4BA9-806E-B8D9A3B31F82}
TOSHIBA Access --> C:\PROGRA~1\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\TOSHIB~1\INSTALL.LOG
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" 
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9 
Toshiba Controls --> C:\WINDOWS\UnInst32.exe CpRmtKey.UNI
TOSHIBA Hotkey Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0415F42D-B746-4166-99E4-1CA5FAEAC18F} /l1033 
TOSHIBA Power Management Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{876CD8AC-B62C-4F8A-9084-3201CC96A5D2} /l1033 
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe" 
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> C:\TOSHIBA\Ivp\Swupdate\UNWISE.EXE C:\TOSHIBA\Ivp\Swupdate\INSTALL.LOG
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9 
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9 
Toshiba Tbiosdrv Driver --> C:\PROGRA~1\Toshiba\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\Toshiba\TOSHIB~1\INSTALL.LOG
TouchPad On/Off Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{079F3B36-05A1-4FA1-937C-E2EFF92A73E4} /l1033 
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u

-- End of Deckard's System Scanner: finished at 2007-05-11 at 12:01:38 ---------

Thanks for your continued efforts!

Looks Much better!

We still have few things to do.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step #1

You can go ahead and remove the tools we used.

Please download the OTMoveIt.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\System32\ps.exe
  C:\WINDOWS\pss
  C:\WINDOWS\System32\idleserv.exe
  C:\WINDOWS\System32\yrdqldwv.exe
  C:\WINDOWS\System32\xxruegba.exe
  C:\WINDOWS\System32\msdtc_32.exe
  C:\WINDOWS\System32\user_32.dll
  

• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #2

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [msci] "C:\DOCUME~1\Owner\LOCALS~1\Temp\2007423112541_mcinfo.exe" /insfin

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Step #3

Download CCleaner If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.

Instructions for using CCleaner:

• Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
• A pop up box will appear advising this process will permanently delete files from your system.
• To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
• Then select the items you wish to clean up.
  • In the Windows Tab:
    • Clean all entries in the "Internet Explorer" section.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.
  • In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)

• Click the "Run Cleaner" button and it will scan and clean your system.
• Click exit.
• Shutdown/restart the computer.

Step #4

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step #5

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button

o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report

Let me know how thins are running now :)

I also get this message from McAfee every time I reboot, not in SAFE MODE. I allow it. Should I block it?

SysemGuard Description: Monitors changes to your internet Explorer preset URLS to preven spyware or other potentially unwanted programs from changing your browser settings without your permission

Process: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Process Name: Spy Sweeper Engine
Process Publisher: Webroot Software, Inc.
Affected Items: HKEY_USERS\S-1-5-21-194725168-951468696-4177962848-1003\Software\Microsoft\Internet Explorer\SearchUrl\

If you did not expect his change, McAfee recommends that you block it. If you expected change, allow it.

That should not be a problem.

Go Ahead and allow SpySweeper.

Could you please follow those instructions i just posted?

Thanks.

I did everything up to Panda's Active Scan. I have NOT been able to do that because I cannot access Internet Explorer. I get "SErver Cannot be found." I cannot get online with Mozilla Firefox either. I CAN get online to AOL via dialup but cannot use Internet Explorer once online. For example, I type www.daniweb.com (page cannot be found). Then I tried www.daniweb.com/index (I got onto your site, but got message DANI WEB IT Discussion Community 404 Error. This page does not exist on our server.) So, it's doing something, but not quite getting there. Google, Yahoo do not come up either. BUT I clicked on "Favorites" and got a website.

I have been doing all the repair work, accessing the info via another computer, copying the files to a flash drive, then copying them onto the infected computer, and running the software and processes.

Should I copy Internet Explorer onto the infected computer? I don't want to do anything to screw up this great communication and process we've had, so I'd really appreciate your thoughts and reply. Thanks!

Is it OKAY to load an updated version of AOL onto the infected computer in order to get a new version of Internet Explorer onto the infected computer? Are viruses able to corrupt IE to the point of having to reload?
Looking forward to someone's answer. Thanks!

Hi there, sorry for the delay getting to you, i've been busy.

I suggest you Update Aol after that we have cleaned up your system.

I will get to you as soon as possible thank you for your patience.

Are you able to access the internet properly now?

If you are you could please follow my instructions i posted in Message #11

Thanks.

I am going to go get the CD now and will update. HOpefully I will get IE running. I am emailing from another computer. I still can't get on IE from the virus computer. I can't do an online scan on the virus computer. I will get back after I've loaded the new AOL with new IE. Thanks!

Alright, No problem i see ahead hearing back from you.

Take your time.

Sorry, I didn't see message 17. I cannot access "Panda Active Scan" because I cannot do things through Internet Explorer. I cannot do the live scan on the infected computer. That's why I asked about AOL. I have not loaded new AOL yet.

I can access AOL search and AOL via dialup. I can see the results of search, but when I click on link, I get message: cannot access world wide web. I can't get past AOL and search results. I cannot get on any other site.

Error message in URL bar at top that I received when trying to access PandaActiveScan via AOL dialup.

res://c:\WINDOWS\System32\shdock.dll/navecancel.htm#http://www.pandasoftware .com

Does that help at all?

Let's try doing this another way.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Ran DrWeb_CureIt again. NO VIRUS FILES FOUND. It did not give me the option to File....Save Report because there was nothing to report. DrWeb previously found a lot of trojan files -- see message #10 for the log.

Following your directions I had previously run the following programs: CWShredder, SideKickFix, Smitfraud Fix, ComboFix, BruteForceUninstall, DrWeb_CureIt, Deckard's System Scanner (DSS), OTMoveIt, CCCleaner. I still cannot get into Internet Explorer or Mozilla Firefox.

I did NOT install a more recent version of AOL. It did NOT have IE on the CD.

Here's something to consider. I don't know if it means anything... I have McAfee on the virus computer. When I try to access it, it won't let me. This was happening BEFORE I starting deleting the viruses and is still happening now. It starts coming up and disappears. I went into START...EXPLORE and found a McAfee firewall file *.exe so it must be running. When I try to start with Mozilla Firefox, I get message "Firefox cannot establish connection at 127.0.0.01:4664" One of the possible reasons it lists is "If your computer is protected by firewall or proxy, make sure firefox is permitted to access web. I can't get into McAfee to see if Firefox is permitted or not. A TROJAN was found in the McAfee directory during one of your virus searches. SHOULD I UNINSTALL MCAFEE?

Also when I looked in the history of updates Firefox was listed as updated on December 31, 1969 with a status of "undefined." This may or may not mean anything. I just thought I'd let you know.

So, I can only access AOL via dialup, and can only access AOL links, including AOL Google search, but when I click links I get an error page. Cannot get on web, into IE, Yahoo, etc. I have NOT run PandaActiveScan because I cannot access it via virus infected computer.

Thanks so much for your continued efforts. I really need to get this solved.

Hi there!

My Suggestion is that you go ahead and Uninstall All Components related to McAfee Products, because alot of people have had loads of issues and the problem usually traces back to McAfee.

Step #1

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Following are the links of two good antivirus (these are also free for personal use):

• Avast Home Edition
• AVG Anti-Virus

When you have installed one of these Reboot your computer

Perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again.
After reboot, post a new HijackThislog in your next reply, so we can deal with the rest, because it really doesn't make sense that we try to clean this if you didn't do an effort to run a scan and at least install an Antivirus to prevent further infection.

Step #2

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.

Please download and install one of these excellent (and free) products:

• Sunbelt Kerio Firewall,
• Outpost Firewall
• Zone Alarm

I downloaded AVG and got it transferred to infected computer. Ran scan - no infected files found. I think I am free of viruses now, but they did impact IE and Mozilla Foxfire.

I went to the error log and this error came up repeatedly. [U]Line 439 contains the error[/U]. I'm also sending Line 438 and 440 so no information is missed.....

Error: record has no properties
Source File: [URL]file:///C:/Documents%20and%20Settings/Owner/Application%20Data/Mozilla/Firefox/Profiles/him4m1zv.default/extensions/%7B3112ca9c-de6d-4884-a869-9855de68056c%7D/lib/toolbar.js[/URL]  Line: 439

Line 438
{sourceid:"navclient-ff",features:"Rank",client:"navclient-auto-ff"};GTB_PageRank.GPR_HASH_SEED="Mining PageRank is AGAINST GOOGLE'S TERMS OF SERVICE. Yes, I'm talking to you, scammer.";
function GPR_DNSLookUpHandler(pr){this.pr=pr}GPR_DNSLookUpHandler.prototype.QueryInterface=function(iid){if(iid.equals(Components.interfaces.nsISupports)||iid.equals(Components.interfaces.nsIDNSListener))
{return this}throw Components.results.NS_NOINTERFACE;};GPR_DNSLookUpHandler.prototype.onLookupComplete=function(request,

Line 439
record,status){this.pr.GPR_resolvedIp=record.getNextAddrAsString()};GTB_PageRank.prototype.GPR_getDefaultTld=function(){var home=GTB_getGoogleHome(),homePrefix="[URL="http://www.google"]www.google[/URL].";
this.GPR_defaultTld=home.slice(homePrefix.length,home.length);if(this.GPR_defaultTld=="cn"){this.GPR_defaultTld="com"}};
GTB_PageRank.prototype.onTabSwitch_=function(event){if(!this.isEnabled()){return}var tabData=this.tabData.getSelectedTabContainer("page_rank"),undefined;
if(tabData.pageRank==undefined){this.GPR_getPageRank();

Line 440
return}this.GPR_displayPageRank(tabData.pageRank)};GTB_PageRank.prototype.GPR_resolveDns=function(){var dns=Components.classes["@mozilla.org/network/dns-service;1"].getService
(Components.interfaces.nsIDNSService),toolbarName=GTB_PageRank.GPR_INFO_COLON_URL+this.GPR_defaultTld,eventQ=null;
try{var nsIEventQueueService=Components.interfaces.nsIEventQueueService,eqService=Components.classes["@mozilla.org/event-queue-service;1"].getService(nsIEventQueueService);
eventQ=eqService.getSpecialEventQueue(nsIEvent

Also had 1 or two duplicate errors of the following:

WARNING:  UNRECOGNIZED COMMAND LINE FLAG-REQUEST PENDING    line 689
 for (i = 0; i < count; ++i) {
      var curarg = cmdLine.getArgument(i);
      if (curarg.match(/^-/)) {   THIS IS LINE 689
        Components.utils.reportError("Warning: unrecognized command line flag " + curarg + "\n");
        // To emulate the pre-nsICommandLine behavior, we ignore
        // the argument after an unrecognized flag.
        ++i;
      } else {
        try {
          urilist.push(resolveURIInternal(cmdLine, curarg));
        }
        catch (e) {
          Components.utils.reportError("Error 

IE is not working yet. Mozilla Foxfire is not working yet. Google desktop, which gave me errors before, started working after I uninstalled McAfee. I could not access the web, though. I did reboot.

Last but not least, SEARCH is not working in Windows. This was not working before virus removal and hasn't changed.

Looking forward to more great and innovative ideas! THanks!

I would like to see a fresh HJT logfile, We are still cleaning your computer.

Logfile of HijackThis v1.99.1
Scan saved at 3:17:38 PM, on 5/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Owner\Application Data\U3\00001779A961EA95\LaunchPad.exe
C:\Documents and Settings\Owner\My Documents\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CplBTQ00] "C:\Program Files\EzButton\CplBTQ00.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [EPSON Stylus CX6400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Thanks for your continued help!

PROBLEM SOLVED!!!!! THANK YOU SO MUCH FOR ALL YOUR HELP, RAHINA. THERE'S NO WAY THIS WOULD HAVE HAPPENED WITHOUT YOUR EXPERTISE!!!!!

This is how I finally solved it.......
Downloaded IE6 and transferred to infected computer. During setup Windows kept trying to update, but couldn't access web (the infected computer could not access web). As a last effort I connected with AOL via dialup and setup IE6 again.
Windows successfully updated through dialup (which was not able to access anything beyond AOL before). I tried to setup IE6, but got error "The download location information is damaged. Please clear your IE broser cache and retry setup." I cleared out one cookie -mediaplex, cleared history, cleared temp files, but there weren't that many. I then setup IE6 without errors and accessed web successfuly through dialup connection (was not possible before).
Unplugged telephone line, plugged in cable, and the rest is history.

THANK YOU RAHINA RESCUE! YOU REALLY DID COME TO MY RESCUE! I REALLY NEEDED THAT COMPUTER!