Win infection - Winows OneCare won't remove...

docfarms · 2007/10/17

Our computer has been running extremely slow the last week or so. There have been lots of pop-ups, etc. I downloaded Windows Live OneCare and ran it 3-4 times back to back. It always had new threats even though it had cleaned up several severe/high/medium risks/viruses. I noticed the last go round that there was one that said it couldn't be cleaned up...I believe it was win/32.Vundo. My computer froze up and I lost the exact description of what it was. I am tired of running that scan, seeing as there must be something it just can't clean, and it taks forever to run. I searched for the virus for solutions and saw a topic from someone that had the same problem that you guys fixed. I am really hoping that you can help me too.

I have read the suggestions and run HiJack this and Deckers, so here they are:

HiJack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:06 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\shpisgsj.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662EA4EBF968951185EFC412806867680AEC7614B76D9695375FB0FB68AD6
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ccimdecw.dll ",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Microsoft\Windows\rayiou.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169699872453
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\shpisgsj.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11536 bytes

And my Deckers log:
Deckard's System Scanner v20071014.68
Run by office depot on 2007-10-17 20:37:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).

-- HijackThis (run as office depot.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:05 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\shpisgsj.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Temporary Internet Files\Content.IE5\HITJQBOO\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\OFFICE~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {39050390-3986-4110-AABE-743604062436} - C:\WINDOWS\system32\awtqo.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {81C1D568-6863-4275-9431-25BDA007138A} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\sxokondh.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662EA4EBF968951185EFC412806867680AEC7614B76D9695375FB0FB68AD6
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ccimdecw.dll ",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Microsoft\Windows\rayiou.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169699872453
O20 - Winlogon Notify: ljjjigh - C:\WINDOWS\SYSTEM32\ljjjigh.dll
O20 - Winlogon Notify: xxyxuvw - C:\WINDOWS\SYSTEM32\xxyxuvw.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\shpisgsj.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12839 bytes

-- Files created between 2007-09-17 and 2007-10-17 -----------------------------

2007-10-17 19:25:54 83008 --a------ C:\WINDOWS\system32\ccimdecw.dll
2007-10-17 19:24:28 75328 --a------ C:\WINDOWS\system32\shpisgsj.exe <Not Verified; ; DDC>
2007-10-17 19:17:50 734983 ---hs---- C:\WINDOWS\system32\oqtwa.bak2
2007-10-17 12:43:44 35840 -ra------ C:\WINDOWS\tsitra572.exe
2007-10-16 20:11:49 6474 ---hs---- C:\WINDOWS\system32\oqtwa.bak1
2007-10-16 20:11:18 311904 --a------ C:\WINDOWS\system32\awtqo.dll
2007-10-14 10:30:34 0 d-------- C:\{00004528-0000-0000-9AB9-EAF2326D58D2}
2007-10-14 09:49:47 0 d-------- C:\Program Files\Trend Micro
2007-10-13 19:35:59 0 d-------- C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch
2007-10-13 19:35:57 0 d-------- C:\Program Files\InetGet2
2007-10-13 08:01:59 0 d-------- C:\{00004528-0000-0000-25F5-C8AF332CA15C}
2007-10-13 05:02:16 0 d-------- C:\{8001B643-0000-0000-862E-45EE137523CD}
2007-10-12 00:11:42 78400 --a------ C:\WINDOWS\system32\sxokondh.dll
2007-10-11 23:54:13 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-11 23:53:48 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-11 23:47:44 0 d--hs---- C:\WINDOWS\b2ZmaWNlIGRlcG90
2007-10-11 23:47:21 35840 --a------ C:\WINDOWS\tsitra1000106.exe
2007-10-11 23:47:02 0 d-------- C:\WINDOWS\system32\que1
2007-10-11 23:47:02 0 d-------- C:\WINDOWS\system32\hap1
2007-10-11 23:47:02 0 d-------- C:\WINDOWS\system32\comms2
2007-10-11 23:46:23 0 d-------- C:\WINDOWS\system32\vMW02a
2007-10-11 23:46:13 36352 --a------ C:\WINDOWS\system32\xxyxuvw.dll
2007-10-10 19:14:55 760650 ---hs---- C:\WINDOWS\system32\ddeeg.bak2
2007-10-09 22:40:57 6505 ---hs---- C:\WINDOWS\system32\ddeeg.bak1
2007-10-09 22:35:23 244832 --a------ C:\WINDOWS\system32\geedd.dll
2007-10-09 22:34:57 36352 --a------ C:\WINDOWS\system32\ssqqrpm.dll
2007-10-09 22:30:05 0 d-------- C:\WINDOWS\system32\o02PrEz
2007-10-09 22:29:58 36352 --a------ C:\WINDOWS\system32\ljjjigh.dll
2007-09-26 11:28:01 0 d-------- C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\U3
2007-09-18 21:59:22 32768 --a------ C:\WINDOWS\system32\rexmlt.dll <Not Verified; Realm Business Solutions, Inc.; reXMLT>
2007-09-18 21:59:19 299008 --a------ C:\WINDOWS\system32\FAIBL12.DLL <Not Verified; Realm Business Solutions, Inc.; FAIBL>
2007-09-18 21:58:16 0 d-------- C:\Program Files\ARGUS

-- Find3M Report ---------------------------------------------------------------

2007-10-17 20:00:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-14 19:20:02 0 d-------- C:\Program Files\Windows Live Safety Center
2007-09-25 22:39:53 0 d-------- C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Move Networks
2007-09-05 23:39:11 0 d-------- C:\Program Files\MUSICMATCH
2007-09-03 08:55:49 0 d-------- C:\Program Files\Quicken
2007-09-03 08:49:23 0 d-------- C:\Program Files\Notebook Maximizer
2007-09-03 08:45:53 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2007-09-03 08:45:53 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2007-09-03 08:45:52 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2007-09-03 08:43:09 0 d-------- C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Apple Computer

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39050390-3986-4110-AABE-743604062436}]
10/16/2007 08:11 PM 311904 --a------ C:\WINDOWS\system32\awtqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81C1D568-6863-4275-9431-25BDA007138A}]
10/09/2007 10:35 PM 244832 --a------ C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
10/12/2007 12:11 AM 78400 --a------ C:\WINDOWS\system32\sxokondh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [04/21/2004 02:04 AM]
"ATIModeChange "= "Ati2mdxx.exe" [09/04/2001 03:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/09/2004 10:10 PM]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [09/26/2003 04:43 PM]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [01/22/2004 06:09 PM]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/22/2004 06:08 PM]
"THotkey "= "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [04/30/2004 05:42 PM]
"TPSMain "= "TPSMain.exe" [03/03/2004 01:57 PM C:\WINDOWS\system32\TPSMain.exe]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [02/03/2004 03:47 PM]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [03/02/2004 02:45 PM]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [10/20/2003 09:39 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [05/16/2006 05:50 PM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"CanonMyPrinter "= "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [03/21/2006 07:30 PM]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 12:14 AM]
"OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [03/21/2006 01:19 PM]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 08:38 AM]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [01/13/2006 06:20 PM]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
"runner1 "= "C:\WINDOWS\tsitra572.exe" [10/17/2007 12:43 PM]
"SearchIndexer "= "C:\WINDOWS\system32\ccimdecw.dll" [10/17/2007 07:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [05/16/2006 05:51 PM]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [11/30/2006 10:49 PM]
"WinTouch "= "C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WinTouch.exe" [10/13/2007 07:37 PM]
"SfKg6w "= "C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Microsoft\Windows\rayiou.exe" [10/13/2007 07:37 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [12:00:00 AM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [5/7/2004 12:54:09 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} "= C:\WINDOWS\system32\xxyxuvw.dll [10/11/2007 11:46 PM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjigh]
ljjjigh.dll 10/09/2007 10:29 PM 36352 C:\WINDOWS\system32\ljjjigh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxuvw]
xxyxuvw.dll 10/11/2007 11:46 PM 36352 C:\WINDOWS\system32\xxyxuvw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\awtqo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04235d60-6c55-11dc-b97d-009096b4c64a}]
AutoRun\command- E:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2007-10-17 20:42:20 ------------

I am a beginner to doing anything like this but I think I'm a quick learner... hopefully right .

Thanks you guys so much for any help you can give me!

Thanks!

noahdfear · 2007/10/17

Welcome to WindowsBBS docfarms.

Download the DelDomains.inf file to your desktop.

Download VundoFix by Atribune, saving it to your desktop.

Download ComboFix by sUBs from here or here, saving the file to your Desktop.

Right-click on the deldomains.inf file and select Install.

Reboot your computer.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Finally,

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log, the C:\VundoFix.txt log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

docfarms · 2007/10/17

Okay, so I ran everything... and I think that I did it just the way you described. When I right clicked on the DelDomains.inf file and selected install, nothing happened.

Anyways, here is my log created by Combofix:

ComboFix 07-10-17.8@ - office depot 2007-10-17 22:27:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.19 [GMT -6:00]
Running from: C:\Documents and Settings\office depot.TOSHIBA-USER\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\config.cfg.7768d4c740d5cc464351d089ff54b214
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\fusion.cfg.78aa8eaa6307f6940ea031d4e6e92054.9f8dc38b4f6fc0c929a7f813cbe25dc8
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WTUninstaller.exe
C:\Program Files\inetget2
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\b138.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\ccimdecw.dll
C:\WINDOWS\system32\hmntjwqg.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\shpisgsj.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\tsitra572.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-17 22:08 <DIR> d-------- C:\VundoFix Backups
2007-10-14 10:30 <DIR> d-------- C:\{00004528-0000-0000-9AB9-EAF2326D58D2}
2007-10-14 09:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 08:01 <DIR> d-------- C:\{00004528-0000-0000-25F5-C8AF332CA15C}
2007-10-13 05:02 <DIR> d-------- C:\{8001B643-0000-0000-862E-45EE137523CD}
2007-10-11 23:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-09-26 11:28 <DIR> d-------- C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\U3
2007-09-18 21:58 <DIR> d-------- C:\Program Files\ARGUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 02:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 01:20 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-09-26 04:39 --------- d-----w C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Move Networks
2007-09-06 05:39 --------- d-----w C:\Program Files\MUSICMATCH
2007-09-03 14:55 --------- d-----w C:\Program Files\Quicken
2007-09-03 14:49 --------- d-----w C:\Program Files\Notebook Maximizer
2007-09-03 14:43 --------- d-----w C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Apple Computer
2005-12-09 22:59 364,998 ------r C:\Program Files\Common Files\bidispl3.exe
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81C1D568-6863-4275-9431-25BDA007138A}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-04-21 02:04]
"ATIModeChange "= "Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 22:10]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 18:09]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 18:08]
"THotkey "= "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 17:42]
"TPSMain "= "TPSMain.exe" [2004-03-03 13:57 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 14:45]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 09:39]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 17:50]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"CanonMyPrinter "= "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 19:30]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 18:20]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 17:51]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 15:06:14]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-05-07 12:54:09]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\awtqo.dll

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04235d60-6c55-11dc-b97d-009096b4c64a}]
AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-03 21:32:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
"2007-10-18 04:12:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job "
"2007-10-18 04:45:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 22:42:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 22:47:19 - machine was rebooted
.
--- E O F ---

Thanks again for all your help!

noahdfear · 2007/10/18

Please post the C:\VundoFix.txt log and a new HijackThis log. I'll check them this evening.

docfarms · 2007/10/18

This is the HiJack file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:51 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {81C1D568-6863-4275-9431-25BDA007138A} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169699872453
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10272 bytes

This is the ComboFix file:

ComboFix 07-10-17.8@ - office depot 2007-10-18 20:16:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.43 [GMT -6:00]
Running from: C:\Documents and Settings\office depot.TOSHIBA-USER\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-17 22:08 <DIR> d-------- C:\VundoFix Backups
2007-10-17 21:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 10:30 <DIR> d-------- C:\{00004528-0000-0000-9AB9-EAF2326D58D2}
2007-10-14 09:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 08:01 <DIR> d-------- C:\{00004528-0000-0000-25F5-C8AF332CA15C}
2007-10-13 05:02 <DIR> d-------- C:\{8001B643-0000-0000-862E-45EE137523CD}
2007-10-11 23:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-11 23:47 <DIR> d-------- C:\WINDOWS\system32\que1
2007-10-11 23:47 <DIR> d-------- C:\WINDOWS\system32\hap1
2007-10-11 23:47 <DIR> d-------- C:\WINDOWS\system32\comms2
2007-10-11 23:47 <DIR> d--hs---- C:\WINDOWS\b2ZmaWNlIGRlcG90
2007-09-26 11:28 <DIR> d-------- C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 02:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 01:20 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-09-26 04:39 --------- d-----w C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Move Networks
2007-09-19 03:58 --------- d-----w C:\Program Files\ARGUS
2007-09-06 05:39 --------- d-----w C:\Program Files\MUSICMATCH
2007-09-03 14:55 --------- d-----w C:\Program Files\Quicken
2007-09-03 14:49 --------- d-----w C:\Program Files\Notebook Maximizer
2007-09-03 14:45 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-09-03 14:45 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-09-03 14:45 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-09-03 14:43 --------- d-----w C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Apple Computer
2005-12-09 22:59 364,998 ------r C:\Program Files\Common Files\bidispl3.exe
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81C1D568-6863-4275-9431-25BDA007138A}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-04-21 02:04]
"ATIModeChange "= "Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 22:10]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 18:09]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 18:08]
"THotkey "= "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 17:42]
"TPSMain "= "TPSMain.exe" [2004-03-03 13:57 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 14:45]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 09:39]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 17:50]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"CanonMyPrinter "= "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 19:30]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 18:20]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 17:51]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 15:06:14]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-05-07 12:54:09]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe
S3 SQLWriter;SQL Server VSS Writer; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe "
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04235d60-6c55-11dc-b97d-009096b4c64a}]
AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-03 21:32:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
"2007-10-19 02:12:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job "
"2007-10-19 01:17:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 20:20:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 20:22:11
C:\ComboFix2.txt ... 2007-10-17 22:47
.
--- E O F ---

My computer is behaving so much better YEAH!!!

Thanks again!

noahdfear · 2007/10/18

Scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Close HijackThis.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/showthread.php?p=368676#post368676
Submit::[22]
C:\Program Files\Common Files\bidispl3.exe
C:\Program Files\Common Files\SM1updtr.dll
Folder::
C:\WINDOWS\system32\que1
C:\WINDOWS\system32\hap1
C:\WINDOWS\system32\comms2
C:\WINDOWS\b2ZmaWNlIGRlcG90
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81C1D568-6863-4275-9431-25BDA007138A}]
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files for analysis. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. I'll let you know what to do with them once analyzed. Thanks!

docfarms · 2007/10/18

Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:46 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {81C1D568-6863-4275-9431-25BDA007138A} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169699872453
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10220 bytes

Here is the Combofix log that was created after it ran when I dropped in the notepad text file you had me create. There was never a zip file that downloaded itself to my desktop and I wasn't prompted to do anything after combofix ran and rebooted...

ComboFix 07-10-17.8@ - office depot 2007-10-18 21:17:06.3 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs ".
Script execution was terminated.
Running from: C:\Documents and Settings\office depot.TOSHIBA-USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\office depot.TOSHIBA-USER\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b2ZmaWNlIGRlcG90
C:\WINDOWS\system32\comms2
C:\WINDOWS\system32\hap1
C:\WINDOWS\system32\que1

.
((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-17 22:08 <DIR> d-------- C:\VundoFix Backups
2007-10-17 21:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 10:30 <DIR> d-------- C:\{00004528-0000-0000-9AB9-EAF2326D58D2}
2007-10-14 09:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 08:01 <DIR> d-------- C:\{00004528-0000-0000-25F5-C8AF332CA15C}
2007-10-13 05:02 <DIR> d-------- C:\{8001B643-0000-0000-862E-45EE137523CD}
2007-10-11 23:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-09-26 11:28 <DIR> d-------- C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 02:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 01:20 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-09-26 04:39 --------- d-----w C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Move Networks
2007-09-19 03:58 --------- d-----w C:\Program Files\ARGUS
2007-09-06 05:39 --------- d-----w C:\Program Files\MUSICMATCH
2007-09-03 14:55 --------- d-----w C:\Program Files\Quicken
2007-09-03 14:49 --------- d-----w C:\Program Files\Notebook Maximizer
2007-09-03 14:43 --------- d-----w C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Apple Computer
2005-12-09 22:59 364,998 ------r C:\Program Files\Common Files\bidispl3.exe
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81C1D568-6863-4275-9431-25BDA007138A}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-04-21 02:04]
"ATIModeChange "= "Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 22:10]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 18:09]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 18:08]
"THotkey "= "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 17:42]
"TPSMain "= "TPSMain.exe" [2004-03-03 13:57 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 14:45]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 09:39]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 17:50]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"CanonMyPrinter "= "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 19:30]
"SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 18:20]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"OM_Monitor "= "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 17:51]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 15:06:14]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-05-07 12:54:09]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe
S3 SQLWriter;SQL Server VSS Writer; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe "
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04235d60-6c55-11dc-b97d-009096b4c64a}]
AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-03 21:32:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
"2007-10-19 03:24:53 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job "
"2007-10-19 01:17:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 21:25:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 21:28:07
C:\ComboFix2.txt ... 2007-10-18 20:22
C:\ComboFix3.txt ... 2007-10-17 22:47
.
--- E O F ---

noahdfear · 2007/10/18

Scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

O2 - BHO: (no name) - {81C1D568-6863-4275-9431-25BDA007138A} - C:\WINDOWS\system32\geedd.dll (file missing)

Close HijackThis.

Please go to jotti and browse to then submit the following file.

C:\Program Files\Common Files\bidispl3.exe

Once submitted, wait for the analysis to complete then copy the results to a blank notepad. Now submit the following file and copy it's results as well.

C:\Program Files\Common Files\SM1updtr.dll

Post those results here please.

docfarms · 2007/10/18

Here is the first one:
Service load: 0% 100%

File: bidispl3.exe
Status: OK
MD5: cb7d341c36079b619c74ea996479ab61
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 19 Oct 2007 04:13:14 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

...and the second:
Service
Service load: 0% 100%

File: SM1updtr.dll
Status: OK
MD5: 598fd8a25ab068ef88aac7fcdb6a19e0
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 19 Oct 2007 04:10:32 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

noahdfear · 2007/10/18

Would you also check the properties of each of those files for Company Name, Version number, etc ......... whatever you can find.

Lets make sure we haven't missed anything. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

docfarms · 2007/10/19

Here is the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 19, 2007 3:47:40 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/10/2007
Kaspersky Anti-Virus database records: 439320
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 63933
Number of viruses found: 12
Number of infected objects: 142
Number of suspicious objects: 0
Duration of the scan process: 02:14:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02072007-211553.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_6b8.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Microsoft\Windows\rayiou.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0136BB4A-731D-4010-B006-E6777B17D694} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{06ED1C0E-286B-40FF-9B1B-BE1D88ADF13C} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0908A7E5-65F8-4A40-903A-FC6C29303E6B} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{093D88D8-9ABB-4C89-B7A6-6B057717119B} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0A2A2A2D-D2BF-4D80-96D4-24D9B4C965F9} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0CC1989B-BB99-47CF-9BA2-76F711822FC6} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{11DAB422-8DE2-4542-8784-A48514A32DB3} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{14AE4D86-59D0-428C-8183-AA5C8E3C3FAE} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16A6E4A6-DC20-40B6-8925-7BEF7BA1ED2F} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1A5A23A1-E465-43B8-B52C-CB29DEB2F354} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1CFD6B29-EAB4-40AC-97E6-3C603086B05D} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1E4C44E9-854D-414A-A091-A53AD81F0317} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2429A3CF-04EE-402F-86C6-101E2302AA3C} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{26893DEC-4896-4A4B-8227-304B4F751401} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{27C7B74D-E7EA-45D5-93E5-277B360246A2} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{286F184A-2E89-4B1C-BF3F-8B37FB58D847} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{288BA4F2-6C93-42CB-91F4-6366444221CE} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2C5029F2-AF45-4A8C-A1DB-22A1BC8355D1} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2E668524-BA1A-48E3-8980-0DA1011ED50E} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3127E374-6BF4-4269-993D-FE144363FC30} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{31A8F04A-A8A5-45D1-9AC1-19CB974DA110} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{31BF2148-B0CD-48CC-8AEB-9625644C4459} Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{32830FF5-0490-488A-ADC4-650273A44C9C} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3841EBF5-9D1A-41E6-8866-E6A5061DAF7C} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3878A01E-E800-47EC-B762-D74C2F18BB7B} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{38D224E1-E106-42B2-AAB1-F798BA5483E7} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{38DC6F24-BF8E-49DB-9BD0-F4FBE2701B5A} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3B76DBA5-1663-4BD0-B847-104152A6A118} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3C9BDC13-C33A-48DF-BBB9-AB1315048D43} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3E18DB84-B650-4F21-AF0C-98EC9470BA0B} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{415E1CD3-2BA0-493C-8381-1F6998FC6CEC} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{451FE992-E7BD-4F67-988B-69C398A95D6E} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{47D5E701-56A2-499C-AE05-8B7C9521B08B} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{4DE48971-8A3A-4FA8-AE13-BB58D7F03839} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{506CC36F-394F-4127-AFDA-5F91FFCB475E} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{50B6CC7B-DCB8-413F-83DE-5D4EDD727501} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5141E9E9-4906-4BF9-AF75-806559D5BB5D} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{52A7668E-33D5-4D76-8BF9-EED7471C0C5C} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{54161AF1-4475-4301-9C01-CD139FD722E3} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5AED05EE-F401-4985-BF7E-A493AB801D69} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5B90B6F1-FC5D-479E-973D-9DA748728318} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5C4EB8DC-ABAD-4DE1-874C-4955F6332F88} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5EFC5C30-7FDB-467B-919F-689E93953694} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5F00F9A4-507A-4F23-B2E3-907CB39AAA05} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{629450BE-0D56-43C2-B66B-458E4C43BACD} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{687A2F42-1FAE-4C5D-A07D-DBC4BA4935FA} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{698F57E1-5CBC-4CC6-BF32-A637630E2E06} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6ADB32E9-EB70-4FE3-85B3-AB31999EEBDD} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6B2357B0-AAF6-4E3E-AE86-96425304CCCF} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6B25114F-FEB0-47DD-90FC-81812D56CE67} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6CEB1DC7-C179-48B1-A1BC-4106612EDFD4} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6DC6C1DC-A616-4D04-BA6F-905C358AB827} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6F9D2A48-B86D-4055-A926-429E0F0489C4} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{78C90B12-3394-4D5D-A2D6-E9FB9BE8AFF3} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{79942AE5-13C5-4166-9470-8E87C4D62209} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7A17C884-1C79-4B48-A772-EFD94AFE9FD9} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7C000C30-5270-4314-950E-ABEB82833695} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7D3F1086-5A1E-4178-B1A5-654C6AF4934F} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7DC4E718-AD65-486C-9233-13C7BCDF6644} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7EDF6490-1C32-46B6-9244-35745781269F} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{826F723E-B7B7-4E9F-9949-59D564EDC7B8} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{86753E2C-EA0E-499B-89E1-6C888ADE33C4} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{89D67CD2-E03D-4FF4-8199-5FC3894C5C25} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8A91BD5F-419F-450D-AFDC-CBE2A6B6A98C} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8BAB3B2C-1756-4DFD-A488-295C78769529} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8DEB2A25-A5E0-4A0B-B390-6FFE1F0F9F7A} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8F503393-712B-482A-966A-07267AA214C8} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{924EDEA1-1CF1-4823-9128-4E3E4BBB6971} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{943E4178-2146-462A-B43D-EACF1B496048} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{96FEC635-C862-4A96-82BB-3BCA6EA00802} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9A3143C9-AD7E-4A70-BCEA-6D9C9989F2BE} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9B845023-02F1-4921-9D76-6F8D4989FB77} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9B97C90E-D075-4B82-909A-5D722EFE99C7} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9CA20025-1135-46AD-8E70-0BBCDB4D2516} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9E6452CC-A06D-4FA6-BA11-5BE3E4947498} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9F87368B-09F1-4CE0-9799-DB9C601DD3F2} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A02C3C5C-A8D7-4ADD-B128-10887E437D57} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A1465BC4-59D1-421A-8A43-83FE69A1FFC7} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A5E9ADEB-0FF1-4B17-B112-14A4DE7B97C3} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A88A50DE-BEBD-4565-90D2-341555B03411} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A8B8C00E-30CF-4232-BE71-E9C40ACC4165} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AE4E0062-3B3E-44A5-AFE5-C89B16A691A6} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B437F49F-FFC6-4402-9298-F687D9871094} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B4A8AD64-A469-4B74-A536-F6A05AF2896D} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B6FA1961-3574-4780-8085-32754A9A6B95} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B73EF7F1-1E21-4F2F-993B-2FA9CF444951} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B8A14A81-B05C-4A0E-9E3C-5529C7E2FB91} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{BA133754-0BA6-4761-A7E9-BF05A1C40467} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{BB9BC0D4-69B0-4CDB-B034-F5684FAEAFFB} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{BF44C8DD-9CC8-494C-9F2A-5C362A363B01} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C225908A-E0CC-4891-A389-1F2E3C4FAA35} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C3DB2DCB-DFA3-4487-801E-638F6599101A} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C414C02D-0ABA-4D65-BC57-A66FD0AABEE7} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C51CF59E-B597-4B49-A82E-00EE691154A1} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C9F42D15-57E6-4C35-8C37-D7A892CEEB84} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CC6587DA-F6E0-4ABF-8F41-0C26A9F79311} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CD1C928D-9C5B-4C60-A970-5C2E8F4BD7B5} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CF99A549-C5CD-4514-8813-470192F865EA} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D06A7893-12DE-4A1F-A877-B44A579A9846} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D0D1A992-C3B1-4A3E-AB7C-277ECCD0E245} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D30EBA05-E6BF-4A09-B744-90C72561A681} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D52A396C-9180-4354-AB78-8BDFBB9DA5A7} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D5C24F1B-A4B9-4306-A6C2-50D7E6AF7265} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D6C302F7-7910-4E5F-907B-0FF559C131D2} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D6F2801B-4027-478D-B8E2-44D7DABC7780} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D7869C8C-F87C-44AE-8C68-EA93758F68D1} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D94EFB67-A00C-42C6-852C-5B5DB48228E0} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DB9DEFE4-AEED-4F2E-8811-8F7E084C6830} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DBAA48FE-5405-4CFA-B425-EBA9D4C3556B} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DD1319EF-0AA3-4D90-93A0-BB5857839809} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DFDE4427-AB08-4E43-942B-86D54EF6531E} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E0ADFAB9-A97D-48EA-AEA6-A77BA751E0A1} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E15ACDBB-763C-43AD-936C-EBFE8B488BEE} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E1A76A2D-CFA6-4DB6-A727-4CF51A67A74E} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E244C7A3-DD51-43E9-A929-4B18B8815AC4} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E3F50071-6FDD-4452-AC30-52898C7EDB69} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E7F34D49-ABF7-459C-B351-0BF2AD1D64F5} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EB68F28F-CAA8-4E5E-B2B9-C1E76BF3C244} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EBA9B984-3E08-44A0-978C-F28F82EEF3B0} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F61B4177-06B1-4A21-AAB8-514B15BBCA5D} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F643DC95-949A-488C-964C-22138F4C29A9} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F7C7AEC5-14D2-4439-84AE-AE3E98BC9D0D} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FC802548-D094-4282-BE58-AEC1F7D22A87} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FE720D58-CC6A-4981-91BF-04E03C3D74E9} Infected: Trojan.Win32.Qhost.ha skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Temp\~DF5190.tmp Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\office depot.TOSHIBA-USER\ntuser.dat.LOG Object is locked skipped
C:\EXACT.exe Infected: Trojan.Win32.Qhost.bi skipped

docfarms · 2007/10/19

Sorry - the text was too big for one post....

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_150.trc Object is locked skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\qoobox\Quarantine\C\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch\WTUninstaller.exe.vir Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\qoobox\Quarantine\C\Documents and Settings\office depot.TOSHIBA-USER\Application Data\WinTouch.vir\WTUninstaller.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\shpisgsj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\tsitra1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.dve skipped
C:\qoobox\Quarantine\C\WINDOWS\tsitra572.exe.vir Infected: Trojan-Downloader.Win32.Agent.ecz skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP580\A0221503.exe Infected: Trojan-Downloader.Win32.Agent.dve skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP581\A0221505.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP585\A0222580.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acz skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP585\A0222583.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acx skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP585\A0222845.exe Infected: Trojan-Downloader.Win32.Small.fxy skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP586\A0222991.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP586\A0222992.exe Infected: Trojan-Downloader.Win32.Agent.dve skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP586\A0222993.exe Infected: Trojan-Downloader.Win32.Agent.ecz skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP586\A0222994.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP586\A0222998.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP587\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB822624$\hal.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrnlmp.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrnlpa.exe.000 Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrpamp.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntoskrnl.exe.000 Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB830680$\keymgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

And here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:55 AM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169699872453
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10212 bytes

I can't believe the Kaspersky came up with so many things still....wow!

Thank you soooo much for all of this!

noahdfear · 2007/10/19

Kaspersky scan looks great! Most all of the infected files are either quarantined or in System Restore points, which we will clean up now.

Delete the following files.

C:\EXACT.exe
C:\Documents and Settings\office depot.TOSHIBA-USER\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\nircmd.exe

Start ComboFix.exe again. At the Disclaimer screen, select option 2. This will uninstall ComboFix and remove the files and folders it created and copied to the system.

Open Windows Defender and remove all of the Quarantined items.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

If you're satisfied that the computer is working properly, clear the System Restore points.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Were you able to find any information on the 2 files I mentioned in my last post?

docfarms · 2007/10/19

Oh yeah, I never did find out anything about those 2 files...because I didn't know how to find out anything. I don't know what my brain is doing, but I know that it's not thinking. I can't for the life of me think how I find those files to delete them.

If you can direct me how to do it, I would love to.

noahdfear · 2007/10/19

Click Start then My Computer.
Open Local Disk C:
Locate and delete EXACT.exe

Open the Windows folder.
Locate and delete nircmd.exe

Go back to Local Disk C: then open Documents and Settings
Open office depot.TOSHIBA-USER
Open Application Data << if you can't this folder, click here
Open Microsoft
Open Windows
Locate and delete rayiou.exe

Go back to Local Disk C:
Open Program Files
Open Common Files
Locate bidispl3.exe then right click it and select Properties
If there is a Version tab, select it and gather the information for Company, Version, etc.
Close the Properties window then check the properties on SM1updtr.dll

Post the properties info here please.

docfarms · 2007/10/19

You Rock! Okay, so I got all of the other stuff deleted off. The bidispl3.exe didn't have a version tab, so I didn't see any specific info that I could gather. The second one SM1updtr.dll did though, and here is the info on that: Company - Cypress Semiconductor; File Version - 6.01.1000.0; Description - Cypress USB Mass Storage Driver Updater; & Product Name - Cypress USB Mass Storage Adapter. I'm doing the ATF Cleaner right now and will do the restore points stuff after I reboot.

docfarms · 2007/10/19

And so now I have done the last 2 things and re-set my system restore point...it has a new time and date as of this evening.

So, does this mean I am good to go? My computer is doing so much better. YEAH!!!! I am just so happy and proud that I was able to be self sufficient and find my own help in how to do all this. I am extremely grateful to you for your help.

docfarms · 2007/10/20

Out of curiosity...on a scale of 1 to 10 (10 being the worst) how badly infected was my computer?

noahdfear · 2007/10/20

1 to 10 ........ oh, probably about a 4

Please upload bidispl3.exe to my submission channel so that I can analyze it. Leave a link back to this topic.

docfarms · 2007/10/20

OKay, so I uploaded the link and the bidispl3.exe for you to analyze it - thanks again. My computer is really like, a completely new computer.

I have a question off subject - and I just don't know where I would ask... You know how you can turn off you computer, or shut it down with the power button and not follow the regular "shut down" procedure; but when you reboot it, windows will go through a process becuase the computer was not shut down properly. Well, my computer just re-starts like nothing happened. Is this something that I should get worried about, or try to fix?

Log in or Sign up

Win infection - Winows OneCare won't remove...

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

docfarms Inactive Thread Starter

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

Share This Page

Log in or Sign up

Win infection - Winows OneCare won't remove...

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

docfarms Inactive Thread Starter

docfarms Inactive Thread Starter

noahdfear Inactive

docfarms Inactive Thread Starter

Share This Page

Useful Searches