Solved Brontok A

Hi Andy,

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/showthread.php?p=384474

Suspect::[22]
C:\WINDOWS\system32\drivers\wpmjwaiopdiu.sys
File::
C:\WINDOWS\system32\7A7.tmp
C:\WINDOWS\system32\46C.tmp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
 "{A93A4625-6216-499C-B360-BBD0A7C0D479} "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect a file for analysis. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned file. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!

 

Hi Dave,
Please find below the 2 logs..I am posting the Combofix log from the Zipped file on the desktop

ComboFix 08-02-13.2 - mohamed 2008-02-14 5:30:12.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.184 [GMT -8:00]
Running from: C:\Documents and Settings\mohamed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mohamed\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\46C.tmp
C:\WINDOWS\system32\7A7.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\46C.tmp
C:\WINDOWS\system32\7A7.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-14 05:21 . 2008-02-14 05:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-12 05:42 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-09 06:24 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\wpmjwaiopdiu.sys
2008-02-07 07:28 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-07 07:07 . 2004-08-04 04:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-02-07 06:51 . 2008-02-09 07:07 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 06:51 . 2008-02-09 07:07 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 06:51 . 2008-02-09 07:07 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-07 06:50 . 2008-02-09 07:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 06:48 . 2008-02-07 06:59 <DIR> d-------- C:\Documents and Settings\mohamed\Application Data\Yahoo!
2008-02-07 06:48 . 2008-02-07 06:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 06:45 . 2008-02-07 06:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-02 23:43 . 2008-02-09 21:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 23:32 . 2008-02-02 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-02 23:32 . 2008-02-02 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 06:28 . 2008-02-09 21:54 <DIR> d-------- C:\Deckard
2008-01-29 06:09 . 2008-02-09 21:54 <DIR> d-------- C:\cc478d51da801b1fcbbb93910d
2008-01-23 08:30 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-22 06:10 . 2008-02-09 21:54 <DIR> d-------- C:\Program Files\IPWireless Inc
2008-01-22 06:10 . 2004-03-11 21:28 118,784 --a------ C:\WINDOWS\system32\IpwUsb32.dll
2008-01-22 06:10 . 2003-02-12 18:21 77,232 --a------ C:\WINDOWS\system32\drivers\ipw_mdm.sys
2008-01-22 06:10 . 2003-12-18 07:51 24,576 -r------- C:\WINDOWS\system32\ipwcomm.dll
2008-01-22 06:10 . 2003-02-12 18:21 6,080 --a------ C:\WINDOWS\system32\drivers\ipw_cm.sys
2008-01-22 06:10 . 2003-02-12 18:21 6,032 --a------ C:\WINDOWS\system32\drivers\ipw_mdfl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 15:33 --------- d-----w C:\Program Files\America Online 9.0
2008-02-11 15:32 --------- d-----w C:\Documents and Settings\mohamed\Application Data\AOL
2008-02-11 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-10 05:55 --------- d-----w C:\Program Files\Yahoo!
2008-02-10 05:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-10 05:55 --------- d-----w C:\Program Files\Viewpoint
2008-02-10 05:55 --------- d-----w C:\Program Files\TOSHIBA
2008-02-10 05:55 --------- d-----w C:\Program Files\Synaptics
2008-02-10 05:55 --------- d-----w C:\Program Files\Sonic
2008-02-10 05:55 --------- d-----w C:\Program Files\Realtek
2008-02-10 05:55 --------- d-----w C:\Program Files\Real
2008-02-10 05:55 --------- d-----w C:\Program Files\QuickTime
2008-02-10 05:55 --------- d-----w C:\Program Files\Pure Networks
2008-02-10 05:55 --------- d-----w C:\Program Files\Protector Suite QL
2008-02-10 05:55 --------- d-----w C:\Program Files\Ozone
2008-02-10 05:55 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-10 05:55 --------- d-----w C:\Program Files\MSN Messenger
2008-02-10 05:55 --------- d-----w C:\Program Files\MP3 CD Converter
2008-02-10 05:55 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-10 05:55 --------- d-----w C:\Program Files\Microsoft Works
2008-02-10 05:55 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-10 05:55 --------- d-----w C:\Program Files\Metamail Inc
2008-02-10 05:55 --------- d-----w C:\Program Files\McAfee.com
2008-02-10 05:55 --------- d-----w C:\Program Files\ltmoh
2008-02-10 05:55 --------- d-----w C:\Program Files\Learn English
2008-02-10 05:55 --------- d-----w C:\Program Files\Java
2008-02-10 05:54 --------- d-----w C:\Program Files\InterVideo
2008-02-10 05:54 --------- d-----w C:\Program Files\Intel
2008-02-10 05:54 --------- d-----w C:\Program Files\illiminable
2008-02-10 05:54 --------- d-----w C:\Program Files\Google
2008-02-10 05:54 --------- d-----w C:\Program Files\easetech
2008-02-10 05:54 --------- d-----w C:\Program Files\DVD-RAM
2008-02-10 05:54 --------- d-----w C:\Program Files\Audio MP3 Converter
2008-01-22 14:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 14:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-19 14:41 90,112 ----a-w C:\WINDOWS\system32\ALOAudioFormatSettings3.dll
2007-11-19 14:41 90,112 ----a-w C:\WINDOWS\system32\agsaami.dll
2007-11-19 14:41 877,568 ----a-w C:\WINDOWS\system32\ALOAudioFile2.dll
2007-11-19 14:41 780,288 ----a-w C:\WINDOWS\system32\ALOVideoCompress.dll
2007-11-19 14:41 778,240 ----a-w C:\WINDOWS\system32\ALOAudioCompress2.dll
2007-11-19 14:41 753,664 ----a-w C:\WINDOWS\system32\agsaamg.dll
2007-11-19 14:41 626,688 ----a-w C:\WINDOWS\system32\agsaamh.dll
2007-11-19 14:41 551,424 ----a-w C:\WINDOWS\system32\agsaame.dll
2007-11-19 14:41 544,256 ----a-w C:\WINDOWS\system32\agsaamd.dll
2007-11-19 14:41 538,624 ----a-w C:\WINDOWS\system32\agsaamb.dll
2007-11-19 14:41 495,104 ----a-w C:\WINDOWS\system32\ALOVideoCoreM.dll
2007-11-19 14:41 403,968 ----a-w C:\WINDOWS\system32\ALOWMAFile2.dll
2007-11-19 14:41 382,464 ----a-w C:\WINDOWS\system32\ALOAVIFile.dll
2007-11-19 14:41 372,736 ----a-w C:\WINDOWS\system32\agsaamc.dll
2007-11-19 14:41 331,776 ----a-w C:\WINDOWS\system32\agsaama.dll
2007-11-19 14:41 249,856 ----a-w C:\WINDOWS\system32\ALOQuickTimeFile.dll
2007-11-19 14:41 237,568 ----a-w C:\WINDOWS\system32\lame_enc.dll
2007-11-19 14:41 215,552 ----a-w C:\WINDOWS\system32\ALOWMVFile.dll
2007-11-19 14:41 2,846,720 ----a-w C:\WINDOWS\system32\ALOAudioCompress3.dll
2007-11-19 14:41 2,846,720 ----a-w C:\WINDOWS\system32\agsaamj.dll
2007-11-19 14:41 188,416 ----a-w C:\WINDOWS\system32\ALOVideoFile.dll
2007-11-19 14:41 1,245,184 ----a-w C:\WINDOWS\system32\bkll.dll
2004-02-23 08:00 1,386,496 --sh--r C:\WINDOWS\system32\msvbvm60.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"msnmsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 12:20 68856]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"AOL Fast Start "= "C:\Program Files\America Online 9.0\AOL.exe" [2005-08-18 09:28 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe "= "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 11:05 212992]
"MCAgentExe "= "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29 303104]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 21:55 98304]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-11-27 21:52 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 21:55 118784]
"TPSMain "= "TPSMain.exe" [2005-05-31 21:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PSQLLauncher "= "C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 16:36 30208]
"ThpSrv "= "thpsrv /logon" []
"THotkey "= "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 14:02 352256]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 16:34 82009]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 16:32 761945]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-18 03:37 184320]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe "= "NDSTray.exe" []
"TFncKy "= "TFncKy.exe" []
"DockMsgFrom "= "C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe" [ ]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 16:13 122880]
"dla "= "C:\WINDOWS\system32\dla\DLACTRLW.exe" [2005-10-06 05:20 122940]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 17:37 151552]
"VSOCheckTask "= "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"TMESRV.EXE "= "C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2005-01-18 14:18 126976]
"TMERzCtl.EXE "= "C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2005-03-17 21:08 81920]
"RTHDCPL "= "RTHDCPL.EXE" [2005-12-09 15:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 11:37 667718]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 10:41 602182]
"VirusScan Online "= "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-06 14:24 26112]
"OASClnt "= "C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"CFSServ.exe "= "CFSServ.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Metamail Trust Manager.lnk - C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2006-06-12 17:29:22 329472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-05 19:10:57 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-05 16:48 40448 C:\WINDOWS\system32\psqlpwd.dll

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-27 22:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 11:24]
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2005-12-26 13:49]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 11:08]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 17:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 16:59]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 16:33]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-09 21:26]
R3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2003-02-12 18:21]
R3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2003-02-12 18:21]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-05-05 16:43]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 14:47]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 13:29:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job "
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 05:31:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-14 5:32:03
ComboFix-quarantined-files.txt 2008-02-14 13:32:01
ComboFix2.txt 2008-02-12 13:45:10
ComboFix3.txt 2008-02-12 13:33:25
ComboFix4.txt 2008-02-10 06:00:36
.
2008-02-09 18:27:46 --- E O F ---

 

Here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:14 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\IPWireless Inc\IPWireless PC Software\UEStatus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C4C7CA9-5CB1-41D2-9E5A-35362D4CEFB4}: NameServer = 85.112.85.85 85.112.85.86
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB27FA68-A18C-45DE-AE89-F3CBBB9FE5CE}: NameServer = 192.168.1.1,192.168.1.5
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 11694 bytes

 

How are things now Andy? Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Select the appropriate Yes or No to receiving marketing information
• Click the Free Online Scan button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh dss log.

 

Hi Dave,

Please find the Panda log.

Incident Status Location

Virus:W32/Radoppan.I Disinfected C:\Deckard\System Scanner\20080204063001\backup\DOCUME~1\mohamed\LOCALS~1\Temp\RN1A.htm
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mohamed\Cookies\mohamed@ad.yieldmanager[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\mohamed\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\mohamed\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\mohamed\Desktop\Flash_Disinfector.exe[nircmd.exe]
Virus:W32/Radoppan.I Disinfected C:\Program Files\America Online 9.0\MyCalendar\help\cal_help.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\America Online 9.0\MyCalendar.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\America Online 9.0\pp.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\InterVideo\WinDVD\Html\Default\InterVideo.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\InterVideo\WinDVD\Html\Default\WinDVD.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\InterVideo\WinDVD\Html\ENU\InterVideo.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\InterVideo\WinDVD\Html\ENU\WinDVD.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\IPWireless Inc\IPWireless PC Software\Documents\Version.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\IPWireless Inc\IPWireless PC Software\FindExe.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Learn English\Effects\Help\LearnE2A.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Learn English\Games\game.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Learn English\Internet\1article.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Metamail Inc\Metamail Tray\MetamailTrayAbout.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\CLRCHK.JSP
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\FONTLIST.JSP
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\OFREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\OLREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\ONREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\ONTOUR.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\ONTOURNF.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\ONTOURST.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\PBREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\PPREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\PVREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\WDREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\1033\XLREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Microsoft Office\OFFICE11\INTLBAND.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Ozone\Audio Converter\help\help.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\QuickTime\QuickTime Read Me.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Real\RealPlayer\playrlic.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Real\RealPlayer\Readme.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Bad_Read_Source.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\BufferUnderrun.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\copy_err.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Drives_In_Use.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Files.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\music_scan.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Recording.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Space_Disc.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Space_HDD.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Testing_Disc.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Unknown_Error.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Explain\Verify.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\readme.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\1.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\2.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\2.1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\2.2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\2.3.htm

 

Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\2.5.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\3.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\3.1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\3.2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\3.3.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\3.5.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\4.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\4.1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\4.2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\5.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\5.1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\5.1a.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\5.2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\6.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\6.1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\6.2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\7.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\Adv.0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\Adv.1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\Adv.2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\Adv.3.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\Adv.4.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\Adv.5.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\glossary.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\index.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Sonic\RecordNow!\upgrade.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\cfloghis.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\cflogtmp.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\cf1_0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\cf1_1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\cf1_2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\cf1_3.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\header.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\menu.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\top.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF1\top2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_3.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_4.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_5.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_6.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF2\cf2_7.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_0.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_1.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_10.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_11.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_13.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_17.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_2.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_3.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_4.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_5.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_6.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_7.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_8.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\CF3\cf3_9.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\ConfigFree\FUG\index.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\MyConnect Special Offer\specialoffer.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\kihon_bottom.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\kihon_header.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\kihon_index.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\kihon_left.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\kihon_main.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\kihon_right.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\shindan_bottom.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\shindan_header.htm

 

Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\shindan_index.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\shindan_left.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\shindan_main.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\PCDiag\shindan_right.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\TOSHIBA\Windows Utilities\SVPWTool\README.HTM
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-au\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-au\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ca\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ca\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-gb\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-gb\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-id\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-id\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ie\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ie\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-in\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-in\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-my\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-my\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-nz\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-nz\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ph\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ph\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-sg\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-sg\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-us\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-us\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ww\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-ww\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-za\noext.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Windows Live Toolbar\en-za\offline.htm
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_atb.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_catb.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_cnf.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_cotb.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_ctb.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_fantip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_fantipg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_fintip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_fintipg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_grptip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_grptipg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_logtip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_mailatip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_mailtip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_map.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_mlbtip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_mlbtipg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_msgratip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_msgrtip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_nbatip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_nbatipg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_newstip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_newstipg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_nfltip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_nfltipg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_opt.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_pub.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_srchtip.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_upg.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Companion\Data\dlg_wp.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Yahoo! Music Engine\offline\cd.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Yahoo! Music Engine\offline\default.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Yahoo! Music Engine\offline\devices.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Yahoo! Music Engine\offline\home.html
Virus:W32/Radoppan.I Disinfected C:\Program Files\Yahoo!\Yahoo! Music Engine\offline\networkmusic.html
Virus:W32/Radoppan.AP.worm Disinfected C:\QooBox\Quarantine\C\autorun.inf.vir
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Dat.vir
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Sys.vir
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.win.vir
Virus:W32/Radoppan.U.drp Renamed C:\QooBox\Quarantine\C\setup.exe.vir
Virus:W32/Radoppan.U.drp Renamed C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spoclsv.exe.vir
Virus:W32/Radoppan.AP.worm Disinfected C:\QooBox\Quarantine\E\autorun.inf.vir
Virus:W32/Radoppan.U.drp Renamed C:\QooBox\Quarantine\E\setup.exe.vir
Virus:W32/Radoppan.U.drp Renamed C:\setup_exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Virus:W32/Radoppan.U.drp Renamed C:\WINDOWS\system32\drivers\spoclsv_exe.vir
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\COMMON\MSSHARED\WKSHARED\OEM\WS06WARR.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\STANDARD\HELP.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\STANDARD\PAGES.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\STANDARD\START.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\STANDARD\TASKS.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\STANDARD\WKSGSG.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\SUITE\HELP.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\SUITE\PAGES.HTM

 

Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\SUITE\START.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\SUITE\TASKS.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\MSWORKS\SUITE\WKSGSG.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\MSWORKS\PFILES\OFFICE\PPV\PVREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\FILES\PFILES\MSOFFICE\OFFICE11\1033\OFREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\FILES\PFILES\MSOFFICE\OFFICE11\1033\OLREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\FILES\PFILES\MSOFFICE\OFFICE11\1033\PBREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\FILES\PFILES\MSOFFICE\OFFICE11\1033\PPREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\FILES\PFILES\MSOFFICE\OFFICE11\1033\PVREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\FILES\PFILES\MSOFFICE\OFFICE11\1033\WDREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\FILES\PFILES\MSOFFICE\OFFICE11\1033\XLREADME.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\README.HTM
Virus:W32/Radoppan.I Disinfected C:\WORKSSETUP\OFFICE\SETUP.HTM

 

Here is the DSS fresh log after running the Panda

Deckard's System Scanner v20071014.68
Run by mohamed on 2008-02-16 23:54:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 502 MiB (512 MiB recommended).


-- HijackThis (run as mohamed.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:20 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\IPWireless Inc\IPWireless PC Software\UEStatus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\mohamed\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mohamed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C4C7CA9-5CB1-41D2-9E5A-35362D4CEFB4}: NameServer = 85.112.85.85 85.112.85.86
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB27FA68-A18C-45DE-AE89-F3CBBB9FE5CE}: NameServer = 192.168.1.1,192.168.1.5
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 11696 bytes

-- Files created between 2008-01-16 and 2008-02-16 -----------------------------

2008-02-16 23:06:39 8576 --a------ C:\WINDOWS\system32\drivers\ekmwemyqfbxq.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-09 22:16:29 0 drahs---- C:\autorun.inf
2008-02-09 21:52:45 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-09 21:52:45 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-09 21:52:45 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-09 21:52:45 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-09 06:24:12 8576 --a------ C:\WINDOWS\system32\drivers\wpmjwaiopdiu.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-07 07:28:19 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-07 06:50:56 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 06:48:51 0 d-------- C:\Documents and Settings\mohamed\Application Data\Yahoo!
2008-02-07 06:48:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 06:45:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-07 06:20:07 0 d-------- C:\980bebc1b839fe1333
2008-02-07 06:14:04 0 d-------- C:\6dac0fb86b4deb069a9600633777
2008-02-02 23:43:35 0 d-------- C:\Program Files\Trend Micro
2008-02-02 23:32:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-02 23:32:51 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-29 06:09:58 0 d-------- C:\cc478d51da801b1fcbbb93910d
2008-01-22 06:10:36 24576 -r------- C:\WINDOWS\system32\ipwcomm.dll <Not Verified; IPWireless; IPWireless 3G Adapter>
2008-01-22 06:10:03 0 d-------- C:\Program Files\IPWireless Inc


-- Find3M Report ---------------------------------------------------------------

2008-02-16 23:31:02 0 d-------- C:\Program Files\Windows Live Toolbar
2008-02-16 23:30:34 0 d-------- C:\Program Files\Protector Suite QL
2008-02-16 23:30:23 0 d-------- C:\Program Files\MSN Messenger
2008-02-16 23:28:50 0 d-------- C:\Program Files\ltmoh
2008-02-16 23:27:54 0 d-------- C:\Program Files\Google
2008-02-11 07:33:03 0 d-------- C:\Program Files\America Online 9.0
2008-02-11 07:32:37 0 d-------- C:\Documents and Settings\mohamed\Application Data\AOL
2008-02-09 21:55:48 0 d-------- C:\Program Files\Yahoo!
2008-02-09 21:55:46 0 d-------- C:\Program Files\Viewpoint
2008-02-09 21:55:41 0 d-------- C:\Program Files\TOSHIBA
2008-02-09 21:55:39 0 d-------- C:\Program Files\Synaptics
2008-02-09 21:55:39 0 d-------- C:\Program Files\Sonic
2008-02-09 21:55:38 0 d-------- C:\Program Files\Realtek
2008-02-09 21:55:37 0 d-------- C:\Program Files\Real
2008-02-09 21:55:37 0 d-------- C:\Program Files\QuickTime
2008-02-09 21:55:37 0 d-------- C:\Program Files\Pure Networks
2008-02-09 21:55:35 0 d-------- C:\Program Files\Ozone
2008-02-09 21:55:35 0 d-------- C:\Program Files\Online Services
2008-02-09 21:55:35 0 d-------- C:\Program Files\MSXML 4.0
2008-02-09 21:55:33 0 d-------- C:\Program Files\MSN Gaming Zone
2008-02-09 21:55:32 0 d-------- C:\Program Files\MP3 CD Converter
2008-02-09 21:55:32 0 d-------- C:\Program Files\Microsoft.NET
2008-02-09 21:55:32 0 d-------- C:\Program Files\Microsoft Works
2008-02-09 21:55:28 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-02-09 21:55:27 0 d-------- C:\Program Files\Metamail Inc
2008-02-09 21:55:26 0 d-------- C:\Program Files\McAfee.com
2008-02-09 21:55:05 0 d-------- C:\Program Files\Learn English
2008-02-09 21:55:03 0 d-------- C:\Program Files\Java
2008-02-09 21:54:56 0 d-------- C:\Program Files\InterVideo
2008-02-09 21:54:56 0 d-------- C:\Program Files\Intel
2008-02-09 21:54:55 0 d-------- C:\Program Files\illiminable
2008-02-09 21:54:54 0 d-------- C:\Program Files\easetech
2008-02-09 21:54:54 0 d-------- C:\Program Files\DVD-RAM
2008-02-09 21:54:54 0 d-------- C:\Program Files\Audio MP3 Converter
2008-02-07 06:47:07 0 d-------- C:\Documents and Settings\mohamed\Application Data\Adobe
2008-01-22 06:10:06 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-22 06:10:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 06:41:43 2846720 --a------ C:\WINDOWS\system32\agsaamj.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2007-11-19 06:41:43 90112 --a------ C:\WINDOWS\system32\agsaami.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2007-11-19 06:41:43 626688 --a------ C:\WINDOWS\system32\agsaamh.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCDGrabber2.dll Module>
2007-11-19 06:41:43 753664 --a------ C:\WINDOWS\system32\agsaamg.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFile3 Module>
2007-11-19 06:41:43 551424 --a------ C:\WINDOWS\system32\agsaame.dll <Not Verified; Online Media Technologies Ltd.; NCTDataDVDWriter2 Module>
2007-11-19 06:41:43 544256 --a------ C:\WINDOWS\system32\agsaamd.dll <Not Verified; Online Media Technologies Ltd.; NCTDataCDWriter2 Module>
2007-11-19 06:41:42 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-11-19 06:41:42 372736 --a------ C:\WINDOWS\system32\agsaamc.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFileWMA3 Module>
2007-11-19 06:41:42 538624 --a------ C:\WINDOWS\system32\agsaamb.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCDWriter2 Module>
2007-11-19 06:41:42 331776 --a------ C:\WINDOWS\system32\agsaama.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer3 Module>
2007-11-19 06:41:38 1245184 --a------ C:\WINDOWS\system32\bkll.dll <Not Verified; NCT Company Ltd.; NCTRMFile ActiveX DLL>
2007-11-19 06:41:38 215552 --a------ C:\WINDOWS\system32\ALOWMVFile.dll <Not Verified; NCT Company Ltd.; NCTWMVFile ActiveX DLL>
2007-11-19 06:41:38 403968 --a------ C:\WINDOWS\system32\ALOWMAFile2.dll <Not Verified; Online Media Technologies Ltd.; NCTWMAFile2 ActiveX DLL>
2007-11-19 06:41:38 188416 --a------ C:\WINDOWS\system32\ALOVideoFile.dll <Not Verified; NCT Company Ltd.; NCTVideoFile ActiveX DLL>
2007-11-19 06:41:38 495104 --a------ C:\WINDOWS\system32\ALOVideoCoreM.dll <Not Verified; NCT Company Ltd.; NCTVideoCoreM ActiveX DLL>
2007-11-19 06:41:38 780288 --a------ C:\WINDOWS\system32\ALOVideoCompress.dll <Not Verified; NCT Company Ltd.; NCTVideoCompress ActiveX DLL>
2007-11-19 06:41:38 249856 --a------ C:\WINDOWS\system32\ALOQuickTimeFile.dll <Not Verified; Online Media Technologies Company Ltd.; NCTQuickTimeFile Module>
2007-11-19 06:41:38 382464 --a------ C:\WINDOWS\system32\ALOAVIFile.dll <Not Verified; NCT Company Ltd.; NCTAVIFile ActiveX DLL>
2007-11-19 06:41:38 90112 --a------ C:\WINDOWS\system32\ALOAudioFormatSettings3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2007-11-19 06:41:38 877568 --a------ C:\WINDOWS\system32\ALOAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2007-11-19 06:41:37 2846720 --a------ C:\WINDOWS\system32\ALOAudioCompress3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2007-11-19 06:41:37 778240 --a------ C:\WINDOWS\system32\ALOAudioCompress2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress2 Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe "= "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 11:05 AM]
"MCAgentExe "= "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 05:29 PM]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [11/27/2005 09:55 PM]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [11/27/2005 09:52 PM]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [11/27/2005 09:55 PM]
"TPSMain "= "TPSMain.exe" [05/31/2005 09:00 PM C:\WINDOWS\system32\TPSMain.exe]
"PSQLLauncher "= "C:\Program Files\Protector Suite QL\launcher.exe" [05/05/2006 04:36 PM]
"ThpSrv "= "thpsrv /logon" []
"THotkey "= "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [01/05/2006 02:02 PM]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [12/16/2005 04:34 PM]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12/16/2005 04:32 PM]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [08/18/2004 03:37 AM]
"AGRSMMSG "= "AGRSMMSG.exe" [10/15/2005 06:29 AM C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe "= "NDSTray.exe" []
"TFncKy "= "TFncKy.exe" []
"DockMsgFrom "= "C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe" []
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [04/26/2005 04:13 PM]
"dla "= "C:\WINDOWS\system32\dla\DLACTRLW.exe" [10/06/2005 05:20 AM]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [03/17/2005 05:37 PM]
"VSOCheckTask "= "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 05:18 PM]
"TMESRV.EXE "= "C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [01/18/2005 02:18 PM]
"TMERzCtl.EXE "= "C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [03/17/2005 09:08 PM]
"RTHDCPL "= "RTHDCPL.EXE" [12/09/2005 03:49 PM C:\WINDOWS\RTHDCPL.exe]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [12/05/2005 11:37 AM]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [11/28/2005 10:41 AM]
"VirusScan Online "= "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 12:49 PM]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [12/06/2005 02:24 PM]
"OASClnt "= "C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 09:02 PM]
"CFSServ.exe "= "CFSServ.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [12/30/2004 12:32 AM]
"msnmsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 11:54 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/05/2007 12:20 PM]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"AOL Fast Start "= "C:\Program Files\America Online 9.0\AOL.exe" [08/18/2005 09:28 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Metamail Trust Manager.lnk - C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [6/12/2006 5:29:22 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [12/5/2005 7:10:57 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 05/05/2006 04:48 PM 40448 C:\WINDOWS\system32\psqlpwd.dll

*Newly Created Service* - EKMWEMYQFBXQ



-- End of Deckard's System Scanner: finished at 2008-02-16 23:54:43 ------------

 

Run ATF Cleaner using the Select All option. Exit when notified it's complete.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\drivers\spoclsv_exe.vir
C:\WINDOWS\system32\drivers\spoclsv_exe

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Once done, run the Panda scan again and post the new report.

 

Hi Dave,

I have downloaded the Combofix and I am running the Panda scan but I forgot to run the ATF cleaner before doing both actions. : is this a prolem? Find attached the Combo log:

ComboFix 08-02-21 - mohamed 2008-02-22 6:54:44.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.217 [GMT -8:00]
Running from: C:\Documents and Settings\mohamed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mohamed\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\spoclsv_exe
C:\WINDOWS\system32\drivers\spoclsv_exe.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\spoclsv_exe.vir

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-09 06:24 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\wpmjwaiopdiu.sys
2008-02-07 07:28 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-07 07:07 . 2004-08-04 04:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-02-07 06:51 . 2008-02-16 23:00 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-07 06:51 . 2008-02-16 23:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-07 06:51 . 2008-02-16 23:00 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-07 06:50 . 2008-02-16 23:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-07 06:48 . 2008-02-07 06:59 <DIR> d-------- C:\Documents and Settings\mohamed\Application Data\Yahoo!
2008-02-07 06:48 . 2008-02-07 06:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 06:45 . 2008-02-07 06:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-02 23:43 . 2008-02-09 21:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 23:32 . 2008-02-02 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-02 23:32 . 2008-02-02 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 06:28 . 2008-02-09 21:54 <DIR> d-------- C:\Deckard
2008-01-29 06:09 . 2008-02-09 21:54 <DIR> d-------- C:\cc478d51da801b1fcbbb93910d
2008-01-23 08:30 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-22 06:10 . 2008-02-09 21:54 <DIR> d-------- C:\Program Files\IPWireless Inc
2008-01-22 06:10 . 2004-03-11 21:28 118,784 --a------ C:\WINDOWS\system32\IpwUsb32.dll
2008-01-22 06:10 . 2003-02-12 18:21 77,232 --a------ C:\WINDOWS\system32\drivers\ipw_mdm.sys
2008-01-22 06:10 . 2003-12-18 07:51 24,576 -r------- C:\WINDOWS\system32\ipwcomm.dll
2008-01-22 06:10 . 2003-02-12 18:21 6,080 --a------ C:\WINDOWS\system32\drivers\ipw_cm.sys
2008-01-22 06:10 . 2003-02-12 18:21 6,032 --a------ C:\WINDOWS\system32\drivers\ipw_mdfl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 13:40 --------- d-----w C:\Program Files\America Online 9.0
2008-02-17 07:31 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-17 07:30 --------- d-----w C:\Program Files\Protector Suite QL
2008-02-17 07:30 --------- d-----w C:\Program Files\MSN Messenger
2008-02-17 07:28 --------- d-----w C:\Program Files\ltmoh
2008-02-17 07:27 --------- d-----w C:\Program Files\Google
2008-02-11 15:32 --------- d-----w C:\Documents and Settings\mohamed\Application Data\AOL
2008-02-11 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-10 05:54 --------- d-----w C:\Program Files\InterVideo
2008-02-10 05:54 --------- d-----w C:\Program Files\Intel
2008-02-10 05:54 --------- d-----w C:\Program Files\illiminable
2008-02-10 05:54 --------- d-----w C:\Program Files\easetech
2008-02-10 05:54 --------- d-----w C:\Program Files\DVD-RAM
2008-02-10 05:54 --------- d-----w C:\Program Files\Audio MP3 Converter
2008-01-22 14:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 14:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2004-02-23 08:00 1,386,496 --sh--r C:\WINDOWS\system32\msvbvm60.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"msnmsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 12:20 68856]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"AOL Fast Start "= "C:\Program Files\America Online 9.0\AOL.exe" [2005-08-18 09:28 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe "= "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 11:05 212992]
"MCAgentExe "= "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29 303104]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 21:55 98304]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-11-27 21:52 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 21:55 118784]
"TPSMain "= "TPSMain.exe" [2005-05-31 21:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PSQLLauncher "= "C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 16:36 30208]
"ThpSrv "= "thpsrv /logon" []
"THotkey "= "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 14:02 352256]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 16:34 82009]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 16:32 761945]
"LtMoh "= "C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-18 03:37 184320]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe "= "NDSTray.exe" []
"TFncKy "= "TFncKy.exe" []
"DockMsgFrom "= "C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe" [ ]
"PadTouch "= "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SmoothView "= "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 16:13 122880]
"dla "= "C:\WINDOWS\system32\dla\DLACTRLW.exe" [2005-10-06 05:20 122940]
"Pinger "= "c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 17:37 151552]
"VSOCheckTask "= "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"TMESRV.EXE "= "C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2005-01-18 14:18 126976]
"TMERzCtl.EXE "= "C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2005-03-17 21:08 81920]
"RTHDCPL "= "RTHDCPL.EXE" [2005-12-09 15:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"IntelZeroConfig "= "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 11:37 667718]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 10:41 602182]
"VirusScan Online "= "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-06 14:24 26112]
"OASClnt "= "C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"CFSServ.exe "= "CFSServ.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Metamail Trust Manager.lnk - C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2006-06-12 17:29:22 329472]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-05 19:10:57 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-05 16:48 40448 C:\WINDOWS\system32\psqlpwd.dll

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-27 22:31]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 11:24]
R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2005-12-26 13:49]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 11:08]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 17:00]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 16:59]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2006-05-05 16:33]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-09 21:26]
R3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2003-02-12 18:21]
R3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2003-02-12 18:21]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-05-05 16:43]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 14:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:29:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job "
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 06:56:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-22 6:56:50
ComboFix-quarantined-files.txt 2008-02-22 14:56:49
ComboFix2.txt 2008-02-14 13:32:03
ComboFix3.txt 2008-02-12 13:45:10
ComboFix4.txt 2008-02-12 13:33:25
ComboFix5.txt 2008-02-10 06:00:36
.
2008-02-16 15:15:49 --- E O F ---

 

Panda's log below:


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\mohamed\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\mohamed\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Dat.vir
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Sys.vir
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.win.vir
Virus:W32/Radoppan.U.drp Renamed C:\QooBox\Quarantine\C\setup.exe.vir
Virus:W32/Radoppan.U.drp Renamed C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spoclsv.exe.vir
Virus:W32/Radoppan.U.drp Renamed C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spoclsv_exe.vir.vir
Virus:W32/Radoppan.U.drp Renamed C:\QooBox\Quarantine\E\setup.exe.vir
Virus:W32/Radoppan.U.drp Renamed C:\setup_exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe

 

Running ATF Cleaner was an important step, however you may be in the clear anyway. Please delete the following file.

C:\setup_exe.vir

If you find another file similarly named, such as C:\setup_exe.vir.vir, delete it as well.

Run ATF Cleaner, using the Select All option. Reboot when complete.

Update your McAfee antivirus and run a full system scan. When complete, please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

Hi Dave,

Thanks for the reply...My Mcafee license is expired..this is why i guess i got those viruses!! (
Shall I skip this and go for the Kaspersky directly??

 

You need to get an antivirus application installed, now. If you're not going to purchase something right now, get AVG or Avast as a free alternative. Do uninstall all other antivirus applications first.

 

Hi Dave,

Couldn't find any of the files manually!! I have run ATF cleaner, rebooted and downloaded AVG antivirus and AVG spyware.

I did the full scan and I guess the files were found and delete and I have also done a full spyware check. I am currently doing the Kaspersky scan. I am attaching the logs of both AVG scans in case this helps out.

AVG Virus Log:

<history>
<!-- 01c876abc0b10150 -->
<rec time= "2008/02/24 06:09:02" user= "SYSTEM" source= "Update ">
<value>@HL_UpdateOK</value>
<attr name= "version ">avi:1269-1262;banner:489-488;iavi:1304-1281;</attr>
</rec>
<rec time= "2008/02/24 06:09:37" user= "mohamed" source= "General ">
<value>@HL_TestStarted</value>
<attr name= "testname ">@TestName_02</attr>
</rec>
<rec time= "2008/02/24 06:09:46" user= "mohamed" source= "Virus ">
<value>@HL_ReportFind</value>
<attr name= "where ">C:\setup_exe.vir</attr>
<attr name= "type ">@EID_Id_vir</attr>
<attr name= "what ">Worm/Generic.AHA</attr>
</rec>
<rec time= "2008/02/24 06:09:50" user= "mohamed" source= "General ">
<value>@HL_TestEnded</value>
<attr name= "testname ">@TestName_02</attr>
<attr name= "infectedfiles ">1</attr>
</rec>
<rec time= "2008/02/24 06:09:50" user= "mohamed" source= "Virus ">
<value>@HL_ActionTaken</value>
<attr name= "filename ">C:\setup_exe.vir</attr>
<attr name= "action ">@HL_ActCleaned</attr>
</rec>
<rec time= "2008/02/24 06:23:35" user= "mohamed" source= "General ">
<value>@HL_TestStarted</value>
<attr name= "testname ">@TestName_02</attr>
</rec>
<rec time= "2008/02/24 06:31:07" user= "mohamed" source= "Virus ">
<value>@HL_ReportFind</value>
<attr name= "where ">C:\Program Files\Common Files\Microsoft Shared\MSInfo\QQGS1.dll</attr>
<attr name= "type ">@EID_Id_trj</attr>
<attr name= "what ">PSW.Generic5.GHD</attr>
</rec>
<rec time= "2008/02/24 06:39:23" user= "mohamed" source= "Virus ">
<value>@HL_ReportFind</value>
<attr name= "where ">C:\QooBox\Quarantine\C\setup.exe.vir</attr>
<attr name= "type ">@EID_Id_vir</attr>
<attr name= "what ">Worm/Generic.AHA</attr>
</rec>
<rec time= "2008/02/24 06:39:23" user= "mohamed" source= "Virus ">
<value>@HL_ReportFind</value>
<attr name= "where ">C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Sys.vir</attr>
<attr name= "type ">@EID_Id_trj</attr>
<attr name= "what ">PSW.Generic5.AJSE</attr>
</rec>
<rec time= "2008/02/24 06:39:27" user= "mohamed" source= "Virus ">
<value>@HL_ReportFind</value>
<attr name= "where ">C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spoclsv.exe.vir</attr>
<attr name= "type ">@EID_Id_vir</attr>
<attr name= "what ">Worm/Generic.AHA</attr>
</rec>
<rec time= "2008/02/24 06:39:28" user= "mohamed" source= "Virus ">
<value>@HL_ReportFind</value>
<attr name= "where ">C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spoclsv_exe.vir.vir</attr>
<attr name= "type ">@EID_Id_vir</attr>
<attr name= "what ">Worm/Generic.AHA</attr>
</rec>
<rec time= "2008/02/24 06:39:29" user= "mohamed" source= "Virus ">
<value>@HL_ReportFind</value>
<attr name= "where ">C:\QooBox\Quarantine\E\setup.exe.vir</attr>
<attr name= "type ">@EID_Id_vir</attr>
<attr name= "what ">Worm/Generic.AHA</attr>
</rec>
<rec time= "2008/02/24 06:55:54" user= "mohamed" source= "General ">
<value>@HL_TestEnded</value>
<attr name= "testname ">@TestName_02</attr>
<attr name= "infectedfiles ">6</attr>
</rec>
<rec time= "2008/02/24 06:55:55" user= "mohamed" source= "Virus ">
<value>@HL_ActionTaken</value>
<attr name= "filename ">C:\Program Files\Common Files\Microsoft Shared\MSInfo\QQGS1.dll</attr>
<attr name= "action ">@HL_ActCleaned</attr>
</rec>
<rec time= "2008/02/24 06:55:55" user= "mohamed" source= "Virus ">
<value>@HL_ActionTaken</value>
<attr name= "filename ">C:\QooBox\Quarantine\C\setup.exe.vir</attr>
<attr name= "action ">@HL_ActCleaned</attr>
</rec>
<rec time= "2008/02/24 06:55:55" user= "mohamed" source= "Virus ">
<value>@HL_ActionTaken</value>
<attr name= "filename ">C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Sys.vir</attr>
<attr name= "action ">@HL_ActCleaned</attr>
</rec>
<rec time= "2008/02/24 06:55:56" user= "mohamed" source= "Virus ">
<value>@HL_ActionTaken</value>
<attr name= "filename ">C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spoclsv.exe.vir</attr>
<attr name= "action ">@HL_ActCleaned</attr>
</rec>
<rec time= "2008/02/24 06:55:56" user= "mohamed" source= "Virus ">
<value>@HL_ActionTaken</value>
<attr name= "filename ">C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spoclsv_exe.vir.vir</attr>
<attr name= "action ">@HL_ActCleaned</attr>
</rec>
<rec time= "2008/02/24 06:55:56" user= "mohamed" source= "Virus ">
<value>@HL_ActionTaken</value>
<attr name= "filename ">C:\QooBox\Quarantine\E\setup.exe.vir</attr>
<attr name= "action ">@HL_ActCleaned</attr>
</rec>
</history>

 

That log does show me what I wanted to see.

C:\setup_exe.vir
Worm/Generic.AHA
action=Cleaned

C:\Program Files\Common Files\Microsoft Shared\MSInfo\QQGS1.dll
PSW.Generic5.GHD
action=Cleaned

The rest were already in quarantine by ComboFix.

 

So no need for me to post the AVG Antispyware log???

Kaspersky is still running...

 

I'd like to see it also.

 

Here is the AVG spyware log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:42:49 AM 2/23/2008

+ Scan result:



C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP167\A0207103.exe -> Downloader.Zlob.fpg : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP167\A0198320.exe -> Hijacker.IFrame.gc : No action taken.
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.win.vir -> Logger.Delf.pg : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP170\snapshot\MFEX-2.DAT -> Logger.Delf.pg : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP169\A0222761.exe -> Trojan.QQPass.aez : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0154891.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0155997.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0157087.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0157141.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0158194.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0158216.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0159325.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0160416.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161101.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161117.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161127.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161149.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161580.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161602.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161624.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161645.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161668.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161690.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161712.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161734.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161756.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161778.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161800.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161822.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0161844.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162027.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162049.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162071.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162093.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162115.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162137.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162159.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162181.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162203.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162225.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162247.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162269.Sys -> Trojan.QQPass.afp : No action taken.
C:\System Volume Information\_restore{3A3C753E-374F-4D63-88D5-9555F76A7918}\RP162\A0162291.Sys -> Trojan.QQPass.afp : No action taken.