new notebook ...

jessiej · May 17, 2008

hey all,

I just got a new notebook and uhh want to make sure i keep it protected .. so besides having a antivirus ,,, is there anything other program that i should get? ..
and also my thumbdrive is infested with viruses and i need the files inside ... so how can i remove the viruses and use it on this comp?

cohen · May 18, 2008

what protection is on the laptop??

What are the specs of the laptop???

jjeisse · May 25, 2008

I have NOD32 antivirus system , spybot search & destroy

specs are :-

Intel(R) Core ( TM )2 Duo CPU T5450 @1.66GHz 1.67 GHz
Memory Ram - 2038 MB
32-bit Operating system
windows vista basic

jjeisse · May 25, 2008

furthermore , the virus that is on my thumbdrive cannot be detected by the antivirus.

cohen · May 25, 2008

AVG 8.0 should work for you

Also.... i'm pretty sure in AVG you can scan the thumb dirve so do that and see what is does.

GameMaster · May 25, 2008

Hello!
Are you able to insert that thumbdrive on any machine?
Please do the following:
Click here[/color] to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

jjeisse · May 25, 2008

cohen said:
AVG 8.0 should work for you

Also.... i'm pretty sure in AVG you can scan the thumb dirve so do that and see what is does.

i've tried scanning it with AVG but it shows nothing....

jjeisse · May 25, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:32 PM, on 5/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [HuaWeiEVDO.exe] "C:\Program Files\Huawei technologies\Mobile Connect\Mobile Connect.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9274 bytes

jjeisse · May 25, 2008

ya i can insert it but it will just pass the virus to the computer and i don't want to get that virus onto my notebook.

walkingheart64 · May 25, 2008

spybot search and destroy..or ccleaner..try that..spybot has found and saved my computer many times over..

jjeisse · May 25, 2008

walkingheart64 said:
spybot search and destroy..or ccleaner..try that..spybot has found and saved my computer many times over..[/QUOTE

can it get it of viruses on my thumbdrive too?

GameMaster · May 25, 2008

Please insert it into the PC. Open it and let it spread on the computer we're fixing now.It's important that we know what viruses do you have in your thumbdrive.
Then run ComboFix:
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

jjeisse · May 25, 2008

ComboFix 08-05-24.1 - TOSHIBA 2008-05-25 23:14:17.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.927 [GMT 8:00]
Running from: C:\Users\TOSHIBA\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 23:09 . 2008-05-25 23:09 <DIR> d-------- C:\sUBs
2008-05-25 20:46 . 2008-05-25 20:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 18:11 . 2008-05-25 18:15 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\AVG7
2008-05-25 18:11 . 2008-05-25 20:41 <DIR> d-------- C:\Users\All Users\avg7
2008-05-25 18:11 . 2008-05-25 20:41 <DIR> d-------- C:\ProgramData\avg7
2008-05-25 17:41 . 2008-05-25 17:41 <DIR> d-------- C:\Program Files\Audacity
2008-05-25 15:28 . 2008-05-25 15:28 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-25 15:28 . 2008-05-25 15:28 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-25 14:56 . 2008-05-25 20:45 <DIR> d-------- C:\Users\TOSHIBA\Incomplete
2008-05-25 00:49 . 2007-08-08 12:07 101,504 --a------ C:\Windows\System32\drivers\ewusbmdm.sys
2008-05-25 00:49 . 2007-08-08 12:06 23,424 --a------ C:\Windows\System32\drivers\ewdcsc.sys
2008-05-25 00:47 . 2008-05-25 00:47 <DIR> d-------- C:\Program Files\Huawei technologies
2008-05-24 00:13 . 2008-05-24 00:14 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Media Player Classic
2008-05-23 22:35 . 2008-05-23 22:35 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Datalayer
2008-05-23 22:06 . 2008-05-23 22:41 <DIR> d-------- C:\Users\TOSHIBA\Phone Browser
2008-05-23 22:06 . 2008-05-23 22:06 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Nokia N73
2008-05-23 22:06 . 2008-05-23 22:06 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Nokia Multimedia Player
2008-05-23 22:05 . 2008-05-23 23:02 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Nokia
2008-05-23 22:00 . 2008-05-23 22:01 <DIR> d-------- C:\Windows\Downloaded Installations
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\PC Suite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Users\All Users\PC Suite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\ProgramData\PC Suite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-05-23 21:57 . 2008-05-23 21:57 <DIR> d-------- C:\Users\All Users\Downloaded Installations
2008-05-23 21:57 . 2008-05-23 21:57 <DIR> d-------- C:\ProgramData\Downloaded Installations
2008-05-23 21:57 . 2008-05-23 22:01 <DIR> d-------- C:\Program Files\Nokia
2008-05-23 21:57 . 2006-05-29 08:26 50,688 --a------ C:\Windows\System32\nmwcdcls.dll
2008-05-22 15:02 . 2008-05-23 23:03 <DIR> d-------- C:\Users\TOSHIBA\Ipod Wallie
2008-05-19 14:03 . 2008-05-19 14:03 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-05-19 14:03 . 2008-05-19 14:03 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-05-19 14:03 . 2008-05-19 14:03 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-05-19 14:03 . 2008-05-19 14:03 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-05-19 14:03 . 2008-05-19 14:03 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-05-18 19:43 . 2008-05-25 23:16 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\uTorrent
2008-05-18 19:43 . 2008-05-18 19:43 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 17:29 . 2008-05-18 17:29 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-18 14:12 . 2008-05-18 14:12 0 --a------ C:\Windows\nsreg.dat
2008-05-18 12:52 . 2008-05-18 16:27 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Apple Computer
2008-05-18 12:52 . 2008-05-18 12:52 <DIR> d-------- C:\Program Files\iTunes
2008-05-18 12:52 . 2008-05-18 12:52 <DIR> d-------- C:\Program Files\iPod
2008-05-18 12:51 . 2008-05-18 12:52 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-05-18 12:51 . 2008-05-18 12:52 <DIR> d-------- C:\ProgramData\Apple Computer
2008-05-18 12:51 . 2008-05-18 12:51 <DIR> d-------- C:\Program Files\QuickTime
2008-05-18 12:51 . 2008-05-18 12:51 <DIR> d-------- C:\Program Files\Bonjour
2008-05-18 12:50 . 2008-05-18 12:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-18 12:49 . 2008-05-18 12:49 <DIR> d-------- C:\Users\All Users\Apple
2008-05-18 12:49 . 2008-05-18 12:49 <DIR> d-------- C:\ProgramData\Apple
2008-05-18 12:49 . 2008-05-18 12:49 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-18 12:25 . 2008-05-25 18:14 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-18 12:25 . 2008-05-25 18:14 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-18 12:25 . 2008-05-18 12:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 12:11 . 2008-05-18 12:11 704,000 --a------ C:\Windows\System32\PhotoScreensaver.scr
2008-05-18 12:09 . 2008-05-18 12:09 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-05-18 12:09 . 2008-05-18 12:09 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-05-18 12:09 . 2008-05-18 12:09 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-05-18 12:09 . 2008-05-18 12:09 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-05-18 12:09 . 2008-05-18 12:09 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-05-18 12:09 . 2008-05-18 12:09 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-05-18 12:09 . 2008-05-18 12:09 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-05-18 12:09 . 2008-05-18 12:09 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-05-18 12:09 . 2008-05-18 12:09 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-05-18 12:09 . 2008-05-18 12:09 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-05-18 12:08 . 2008-05-18 12:08 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-05-18 12:08 . 2008-05-18 12:08 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-05-18 12:08 . 2008-05-18 12:08 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-05-18 12:08 . 2008-05-18 12:08 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-05-18 12:08 . 2008-05-18 12:08 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-05-18 12:08 . 2008-05-18 12:08 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-05-18 12:06 . 2008-05-18 12:06 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-05-18 12:06 . 2008-05-18 12:06 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-05-18 12:06 . 2008-05-18 12:06 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-05-18 12:06 . 2008-05-18 12:06 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-05-18 12:06 . 2008-05-18 12:06 2,048 --a------ C:\Windows\System32\asferror.dll
2008-05-18 12:05 . 2008-05-18 12:05 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-18 12:05 . 2008-05-18 12:05 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-05-18 12:05 . 2008-05-18 12:05 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-05-18 12:05 . 2008-05-18 12:05 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-05-18 12:05 . 2008-05-18 12:05 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-05-18 12:04 . 2008-05-18 12:04 148,992 --a------ C:\Windows\System32\drivers\ks.sys
2008-05-18 12:04 . 2008-05-18 12:04 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-05-18 12:04 . 2008-05-18 12:04 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-05-18 12:04 . 2008-05-18 12:04 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-05-18 12:04 . 2008-05-18 12:04 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-05-18 12:04 . 2008-05-18 12:04 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-05-18 12:04 . 2008-05-18 12:04 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-05-18 12:03 . 2008-05-18 12:03 788,992 --a------ C:\Windows\System32\rpcrt4.dll
2008-05-18 12:01 . 2008-05-18 12:01 2,048 --a------ C:\Windows\System32\tzres.dll
2008-05-18 12:00 . 2008-05-18 12:00 750,080 --a------ C:\Windows\System32\qmgr.dll
2008-05-17 10:38 . 2008-05-25 20:45 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\LimeWire
2008-05-17 10:35 . 2008-05-17 10:35 <DIR> d-------- C:\Program Files\LimeWire
2008-05-17 10:20 . 2008-05-17 10:20 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-17 10:20 . 2008-05-17 10:20 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-05-17 10:09 . 2008-05-17 10:18 <DIR> d-------- C:\Program Files\Windows Live
2008-05-17 10:09 . 2008-05-17 10:18 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-17 10:08 . 2008-05-17 10:08 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-05-17 10:08 . 2008-05-17 10:08 <DIR> d-------- C:\ProgramData\WLInstaller
2008-05-17 10:08 . 2008-05-17 10:08 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-05-17 10:08 . 2008-05-17 10:08 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-05-17 10:08 . 2008-05-17 10:08 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-05-17 10:08 . 2008-05-17 10:08 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-05-17 10:08 . 2008-05-17 10:08 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-05-17 10:08 . 2008-05-17 10:08 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-05-17 10:08 . 2008-05-17 10:08 43,352 --a------ C:\Windows\System32\wups2.dll
2008-05-17 10:08 . 2008-05-17 10:08 33,624 --a------ C:\Windows\System32\wups.dll
2008-05-17 10:08 . 2008-05-17 10:08 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-05-17 02:27 . 2008-05-17 02:27 <DIR> d-------- C:\Program Files\ltmoh
2008-05-17 02:27 . 2006-10-18 16:39 487,424 --a------ C:\Windows\System32\cselect.exe
2008-05-17 02:27 . 2003-02-25 15:42 128,113 --a------ C:\Windows\System32\csellang.ini
2008-05-17 02:27 . 2003-12-05 09:48 77,824 --a------ C:\Windows\System32\tosmreg.exe
2008-05-17 02:27 . 2003-11-01 03:59 45,056 --a------ C:\Windows\System32\csellang.dll
2008-05-17 02:27 . 2007-02-02 11:17 10,150 --a------ C:\Windows\System32\tosmreg.ini
2008-05-17 02:27 . 2003-02-25 16:01 7,671 --a------ C:\Windows\System32\cseltbl.ini
2008-05-17 02:26 . 2008-05-17 02:26 <DIR> d-------- C:\Windows\Options
2008-05-17 02:26 . 2008-05-17 02:26 <DIR> d-------- C:\Program Files\Synaptics
2008-05-17 02:26 . 2008-05-17 02:26 <DIR> d-------- C:\DOCS
2008-05-17 02:26 . 2008-05-17 02:26 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-05-17 02:26 . 2008-05-17 02:26 0 -rahs---- C:\Windows\System32\drivers\1179_TOSHIBA_Satellite M200_S3A6460D003_PSMC3L-06V004.MRK
2008-05-17 02:24 . 2007-03-14 08:49 936,728 --a------ C:\Windows\System32\imsmudlg.exe
2008-05-17 02:24 . 2007-02-13 05:36 277,784 --a------ C:\Windows\System32\drivers\iaStor.sys
2008-05-16 11:51 . 2008-05-25 14:43 <DIR> d-------- C:\Program Files\ESET
2008-05-16 11:51 . 2008-05-16 11:51 512,096 --a------ C:\Windows\System32\drivers\amon.sys
2008-05-16 11:51 . 2008-05-16 11:51 298,104 --a------ C:\Windows\System32\imon.dll
2008-05-16 11:51 . 2008-05-16 11:51 15,424 --a------ C:\Windows\System32\drivers\nod32drv.sys
2008-05-16 11:39 . 2008-05-16 11:39 <DIR> d-------- C:\Program Files\Camera Assistant Software for Toshiba

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 16:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 10:15 174 --sha-w C:\Program Files\desktop.ini
2008-05-19 07:29 --------- d-----w C:\Program Files\Windows Calendar
2008-05-19 06:02 944,184 ----a-w C:\Windows\System32\winload.exe
2008-05-19 05:59 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-05-18 04:38 --------- d-----w C:\Program Files\Windows Mail
2008-05-18 04:37 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-18 04:10 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-05-18 04:10 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-05-18 04:10 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-05-18 04:10 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-05-18 04:10 299,008 ----a-w C:\Windows\System32\wlansec.dll
2008-05-18 04:10 289,280 ----a-w C:\Windows\System32\wlanmsm.dll
2008-05-18 04:10 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-05-18 04:10 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-05-18 04:10 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-05-18 04:10 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-05-18 04:10 2,923,520 ----a-w C:\Windows\explorer.exe
2008-05-18 04:10 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-05-18 04:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-18 04:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-05-18 04:05 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-05-18 04:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-05-18 04:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-05-18 04:02 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-05-18 04:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-05-18 04:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-05-18 04:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-05-16 03:38 --------- d-----w C:\ProgramData\Toshiba
2008-05-16 03:38 --------- d-----w C:\Program Files\Toshiba
2008-05-16 03:34 --------- d-----w C:\Program Files\Intel
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-05-18 12:05 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 20:34 2159104 C:\Windows\System32\oobefldr.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 23:59 417792]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"HuaWeiEVDO.exe"="C:\Program Files\Huawei technologies\Mobile Connect\Mobile Connect.exe" [2007-10-09 11:58 925696]
"ares"="C:\Program Files\Ares\Ares.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 15:50 4399104 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-20 11:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-20 11:07 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-20 11:07 129560]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-02 13:36 835584]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 23:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 11:46 448632]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-03-23 14:41 538744]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-03-21 17:23 413696]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-05-16 11:51 949376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36 229376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

C:\Users\TOSHIBA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-19 03:21:09 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C902BB4C-47D3-4F0C-8D16-C4F19F126686}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{57714F56-E0CC-4A60-B926-00DE69F5F56F}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{488B65FD-EEEF-48F7-9633-FD68B5ADCD5C}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{8C8B1178-3CD6-446E-B31D-51C9F9BB6A6B}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{6A420FCC-F3A3-47B1-858E-4702BD3B087E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{4DB7550B-1C9F-40FA-A163-24BF84A7B229}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{5DA34A77-1362-4FB4-B5B6-98E97EF45C60}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{AA02A5DC-A07B-4B56-934B-3714CC5FF247}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{18B1B8B1-4E35-4A12-B1CA-944B00BAF1FD}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{171F1DD0-1514-4347-A37A-B7655367A0E4}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{BFCDE734-DAC6-4B3F-B1DD-1177934F7EA4}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{80F1A701-BF14-4F4B-B139-4D831F5390C3}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{9F69B517-F7E3-4F8F-8AF9-034AF0FC63CF}C:\\program files\\ares\\ares.exe"= UDP:C:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{231FD8B2-47D6-4D5B-8619-A8A05C7FF3C7}C:\\program files\\ares\\ares.exe"= TCP:C:\program files\ares\ares.exe:Ares p2p for windows

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-09-19 10:59]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-09-19 11:01]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-26 12:55]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 13:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-09-13 15:23]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-19 02:50]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-03-12 21:47]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-01-10 01:00]
S3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2006-11-02 15:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f6bbee-27c7-11dd-9af7-001cbfcdd3e3}]
\shell\AutoRun\command - E:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c58070d-2a17-11dd-bbf6-001e3331441a}]
\shell\AutoPlay\command - wscript.exe \saifulfaizan.js
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js
\shell\Explore\command - wscript.exe \saifulfaizan.js -Clicked
\shell\Open\command - wscript.exe \saifulfaizan.js
\shell\Scan for Viruses\command - wscript.exe \saifulfaizan.js
\shell\Scan with AVG\command - wscript.exe \saifulfaizan.js
\shell\Scan with Norton AntiVirus\command - wscript.exe \saifulfaizan.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d50ed21-29ab-11dd-a1c0-001cbfcdd3e3}]
\shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d50ed4c-29ab-11dd-a1c0-001e3331441a}]
\shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db2532ca-272a-11dd-ba7a-001cbfcdd3e3}]
\shell\AutoPlay\command - wscript.exe \saifulfaizan.js
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js
\shell\Explore\command - wscript.exe \saifulfaizan.js -Clicked
\shell\Open\command - wscript.exe \saifulfaizan.js
\shell\Scan for Viruses\command - wscript.exe \saifulfaizan.js
\shell\Scan with AVG\command - wscript.exe \saifulfaizan.js
\shell\Scan with Norton AntiVirus\command - wscript.exe \saifulfaizan.js

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 02:20:35 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-25 07:03:34 C:\Windows\Tasks\User_Feed_Synchronization-{11EA8DFC-B6F5-4624-B338-034E421E2214}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 23:16:42
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????uP0????(?-?P?-???-???-???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-25 23:17:41
ComboFix-quarantined-files.txt 2008-05-25 15:17:22

Pre-Run: 96,199,991,296 bytes free
Post-Run: 96,239,575,040 bytes free

286 --- E O F --- 2008-05-23 13:30:17

GameMaster · May 25, 2008

The log seems clean.

Could you please copy ComboFix on your thumbdrive and run it from there? Post the log please.

jjeisse · May 26, 2008

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{db2532ca-272a-11dd-ba7a-001cbfcdd3e3}]
\shell\AutoPlay\command - wscript.exe \saifulfaizan.js
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js
\shell\Explore\command - wscript.exe \saifulfaizan.js -Clicked
\shell\Open\command - wscript.exe \saifulfaizan.js
\shell\Scan for Viruses\command - wscript.exe \saifulfaizan.js
\shell\Scan with AVG\command - wscript.exe \saifulfaizan.js
\shell\Scan with Norton AntiVirus\command - wscript.exe \saifulfaizan.js

you see the one call - saifulfaiza.js --- that's the virus too

jjeisse · May 26, 2008

GameMaster said:
The log seems clean.

Could you please copy ComboFix on your thumbdrive and run it from there? Post the log please.

did you mean download it to my thumbdrive? cause if it is , this is the log ..

ComboFix 08-05-25.3 - TOSHIBA 2008-05-26 14:11:07.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1025 [GMT 8:00]
Running from: F:\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-25 23:09 . 2008-05-25 23:09 <DIR> d-------- C:\sUBs
2008-05-25 20:46 . 2008-05-25 20:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 18:11 . 2008-05-25 18:15 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\AVG7
2008-05-25 18:11 . 2008-05-25 23:21 <DIR> d-------- C:\Users\All Users\avg7
2008-05-25 18:11 . 2008-05-25 23:21 <DIR> d-------- C:\ProgramData\avg7
2008-05-25 17:41 . 2008-05-25 17:41 <DIR> d-------- C:\Program Files\Audacity
2008-05-25 15:28 . 2008-05-25 15:28 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-25 15:28 . 2008-05-25 15:28 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-25 14:56 . 2008-05-26 13:59 <DIR> d-------- C:\Users\TOSHIBA\Incomplete
2008-05-25 00:49 . 2007-08-08 12:07 101,504 --a------ C:\Windows\System32\drivers\ewusbmdm.sys
2008-05-25 00:49 . 2007-08-08 12:06 23,424 --a------ C:\Windows\System32\drivers\ewdcsc.sys
2008-05-25 00:47 . 2008-05-25 00:47 <DIR> d-------- C:\Program Files\Huawei technologies
2008-05-24 00:13 . 2008-05-24 00:14 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Media Player Classic
2008-05-23 22:35 . 2008-05-23 22:35 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Datalayer
2008-05-23 22:06 . 2008-05-23 22:41 <DIR> d-------- C:\Users\TOSHIBA\Phone Browser
2008-05-23 22:06 . 2008-05-23 22:06 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Nokia N73
2008-05-23 22:06 . 2008-05-23 22:06 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Nokia Multimedia Player
2008-05-23 22:05 . 2008-05-23 23:02 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Nokia
2008-05-23 22:00 . 2008-05-23 22:01 <DIR> d-------- C:\Windows\Downloaded Installations
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\PC Suite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Users\All Users\PC Suite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\ProgramData\PC Suite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-05-23 21:58 . 2008-05-23 21:59 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-05-23 21:57 . 2008-05-23 21:57 <DIR> d-------- C:\Users\All Users\Downloaded Installations
2008-05-23 21:57 . 2008-05-23 21:57 <DIR> d-------- C:\ProgramData\Downloaded Installations
2008-05-23 21:57 . 2008-05-23 22:01 <DIR> d-------- C:\Program Files\Nokia
2008-05-23 21:57 . 2006-05-29 08:26 50,688 --a------ C:\Windows\System32\nmwcdcls.dll
2008-05-22 15:02 . 2008-05-23 23:03 <DIR> d-------- C:\Users\TOSHIBA\Ipod Wallie
2008-05-19 14:03 . 2008-05-19 14:03 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-05-19 14:03 . 2008-05-19 14:03 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-05-19 14:03 . 2008-05-19 14:03 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-05-19 14:03 . 2008-05-19 14:03 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-05-19 14:03 . 2008-05-19 14:03 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-05-18 19:43 . 2008-05-26 14:10 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\uTorrent
2008-05-18 19:43 . 2008-05-18 19:43 <DIR> d-------- C:\Program Files\uTorrent
2008-05-18 17:29 . 2008-05-18 17:29 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-18 14:12 . 2008-05-18 14:12 0 --a------ C:\Windows\nsreg.dat
2008-05-18 12:52 . 2008-05-18 16:27 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\Apple Computer
2008-05-18 12:52 . 2008-05-18 12:52 <DIR> d-------- C:\Program Files\iTunes
2008-05-18 12:52 . 2008-05-18 12:52 <DIR> d-------- C:\Program Files\iPod
2008-05-18 12:51 . 2008-05-18 12:52 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-05-18 12:51 . 2008-05-18 12:52 <DIR> d-------- C:\ProgramData\Apple Computer
2008-05-18 12:51 . 2008-05-18 12:51 <DIR> d-------- C:\Program Files\QuickTime
2008-05-18 12:51 . 2008-05-18 12:51 <DIR> d-------- C:\Program Files\Bonjour
2008-05-18 12:50 . 2008-05-18 12:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-18 12:49 . 2008-05-18 12:49 <DIR> d-------- C:\Users\All Users\Apple
2008-05-18 12:49 . 2008-05-18 12:49 <DIR> d-------- C:\ProgramData\Apple
2008-05-18 12:49 . 2008-05-18 12:49 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-18 12:25 . 2008-05-25 18:14 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-18 12:25 . 2008-05-25 18:14 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-18 12:25 . 2008-05-18 12:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 12:11 . 2008-05-18 12:11 704,000 --a------ C:\Windows\System32\PhotoScreensaver.scr
2008-05-18 12:09 . 2008-05-18 12:09 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-05-18 12:09 . 2008-05-18 12:09 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-05-18 12:09 . 2008-05-18 12:09 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-05-18 12:09 . 2008-05-18 12:09 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-05-18 12:09 . 2008-05-18 12:09 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-05-18 12:09 . 2008-05-18 12:09 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-05-18 12:09 . 2008-05-18 12:09 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-05-18 12:09 . 2008-05-18 12:09 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-05-18 12:09 . 2008-05-18 12:09 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-05-18 12:09 . 2008-05-18 12:09 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-05-18 12:08 . 2008-05-18 12:08 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-05-18 12:08 . 2008-05-18 12:08 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-05-18 12:08 . 2008-05-18 12:08 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-05-18 12:08 . 2008-05-18 12:08 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-05-18 12:08 . 2008-05-18 12:08 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-05-18 12:08 . 2008-05-18 12:08 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-05-18 12:06 . 2008-05-18 12:06 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-05-18 12:06 . 2008-05-18 12:06 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-05-18 12:06 . 2008-05-18 12:06 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-05-18 12:06 . 2008-05-18 12:06 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-05-18 12:06 . 2008-05-18 12:06 2,048 --a------ C:\Windows\System32\asferror.dll
2008-05-18 12:05 . 2008-05-18 12:05 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-18 12:05 . 2008-05-18 12:05 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-05-18 12:05 . 2008-05-18 12:05 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-05-18 12:05 . 2008-05-18 12:05 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-05-18 12:05 . 2008-05-18 12:05 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-05-18 12:04 . 2008-05-18 12:04 148,992 --a------ C:\Windows\System32\drivers\ks.sys
2008-05-18 12:04 . 2008-05-18 12:04 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-05-18 12:04 . 2008-05-18 12:04 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-05-18 12:04 . 2008-05-18 12:04 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-05-18 12:04 . 2008-05-18 12:04 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-05-18 12:04 . 2008-05-18 12:04 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-05-18 12:04 . 2008-05-18 12:04 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-05-18 12:03 . 2008-05-18 12:03 788,992 --a------ C:\Windows\System32\rpcrt4.dll
2008-05-18 12:01 . 2008-05-18 12:01 2,048 --a------ C:\Windows\System32\tzres.dll
2008-05-18 12:00 . 2008-05-18 12:00 750,080 --a------ C:\Windows\System32\qmgr.dll
2008-05-17 10:38 . 2008-05-26 13:57 <DIR> d-------- C:\Users\TOSHIBA\AppData\Roaming\LimeWire
2008-05-17 10:35 . 2008-05-17 10:35 <DIR> d-------- C:\Program Files\LimeWire
2008-05-17 10:20 . 2008-05-17 10:20 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-17 10:20 . 2008-05-17 10:20 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-05-17 10:09 . 2008-05-17 10:18 <DIR> d-------- C:\Program Files\Windows Live
2008-05-17 10:09 . 2008-05-17 10:18 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-17 10:08 . 2008-05-17 10:08 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-05-17 10:08 . 2008-05-17 10:08 <DIR> d-------- C:\ProgramData\WLInstaller
2008-05-17 10:08 . 2008-05-17 10:08 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-05-17 10:08 . 2008-05-17 10:08 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-05-17 10:08 . 2008-05-17 10:08 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-05-17 10:08 . 2008-05-17 10:08 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-05-17 10:08 . 2008-05-17 10:08 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-05-17 10:08 . 2008-05-17 10:08 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-05-17 10:08 . 2008-05-17 10:08 43,352 --a------ C:\Windows\System32\wups2.dll
2008-05-17 10:08 . 2008-05-17 10:08 33,624 --a------ C:\Windows\System32\wups.dll
2008-05-17 10:08 . 2008-05-17 10:08 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-05-17 02:27 . 2008-05-17 02:27 <DIR> d-------- C:\Program Files\ltmoh
2008-05-17 02:27 . 2006-10-18 16:39 487,424 --a------ C:\Windows\System32\cselect.exe
2008-05-17 02:27 . 2003-02-25 15:42 128,113 --a------ C:\Windows\System32\csellang.ini
2008-05-17 02:27 . 2003-12-05 09:48 77,824 --a------ C:\Windows\System32\tosmreg.exe
2008-05-17 02:27 . 2003-11-01 03:59 45,056 --a------ C:\Windows\System32\csellang.dll
2008-05-17 02:27 . 2007-02-02 11:17 10,150 --a------ C:\Windows\System32\tosmreg.ini
2008-05-17 02:27 . 2003-02-25 16:01 7,671 --a------ C:\Windows\System32\cseltbl.ini
2008-05-17 02:26 . 2008-05-17 02:26 <DIR> d-------- C:\Windows\Options
2008-05-17 02:26 . 2008-05-17 02:26 <DIR> d-------- C:\Program Files\Synaptics
2008-05-17 02:26 . 2008-05-17 02:26 <DIR> d-------- C:\DOCS
2008-05-17 02:26 . 2008-05-17 02:26 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-05-17 02:26 . 2008-05-17 02:26 0 -rahs---- C:\Windows\System32\drivers\1179_TOSHIBA_Satellite M200_S3A6460D003_PSMC3L-06V004.MRK
2008-05-17 02:24 . 2007-03-14 08:49 936,728 --a------ C:\Windows\System32\imsmudlg.exe
2008-05-17 02:24 . 2007-02-13 05:36 277,784 --a------ C:\Windows\System32\drivers\iaStor.sys
2008-05-16 11:51 . 2008-05-25 14:43 <DIR> d-------- C:\Program Files\ESET
2008-05-16 11:51 . 2008-05-16 11:51 512,096 --a------ C:\Windows\System32\drivers\amon.sys
2008-05-16 11:51 . 2008-05-16 11:51 298,104 --a------ C:\Windows\System32\imon.dll
2008-05-16 11:51 . 2008-05-16 11:51 15,424 --a------ C:\Windows\System32\drivers\nod32drv.sys
2008-05-16 11:39 . 2008-05-16 11:39 <DIR> d-------- C:\Program Files\Camera Assistant Software for Toshiba

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 16:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 10:15 174 --sha-w C:\Program Files\desktop.ini
2008-05-19 07:29 --------- d-----w C:\Program Files\Windows Calendar
2008-05-19 06:02 944,184 ----a-w C:\Windows\System32\winload.exe
2008-05-19 05:59 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-05-18 04:38 --------- d-----w C:\Program Files\Windows Mail
2008-05-18 04:37 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-18 04:10 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-05-18 04:10 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-05-18 04:10 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-05-18 04:10 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-05-18 04:10 299,008 ----a-w C:\Windows\System32\wlansec.dll
2008-05-18 04:10 289,280 ----a-w C:\Windows\System32\wlanmsm.dll
2008-05-18 04:10 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-05-18 04:10 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-05-18 04:10 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-05-18 04:10 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-05-18 04:10 2,923,520 ----a-w C:\Windows\explorer.exe
2008-05-18 04:10 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-05-18 04:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-18 04:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-05-18 04:05 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-05-18 04:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-05-18 04:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-05-18 04:02 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-05-18 04:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-05-18 04:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-05-18 04:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-05-16 03:38 --------- d-----w C:\ProgramData\Toshiba
2008-05-16 03:38 --------- d-----w C:\Program Files\Toshiba
2008-05-16 03:34 --------- d-----w C:\Program Files\Intel
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-25_23.17.07.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 12:44:10 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-26 05:56:24 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-25 12:43:17 229,264 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-05-25 16:20:30 229,264 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-05-25 12:44:12 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-26 05:56:26 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-25 12:44:12 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-26 05:56:26 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-25 12:45:41 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-26 06:05:42 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-05-25 12:45:46 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-26 05:57:52 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-05-25 15:14:12 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-05-26 06:11:03 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-05-25 13:56:33 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-05-26 06:08:13 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-05-25 13:56:33 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-05-26 06:08:13 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-05-25 12:46:00 4,718 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2069671701-3476945987-2273482261-1000_UserData.bin
+ 2008-05-26 05:58:15 4,742 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2069671701-3476945987-2273482261-1000_UserData.bin
- 2008-05-25 12:46:00 58,870 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-26 05:58:15 59,224 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-25 12:45:58 33,586 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-26 05:58:14 33,690 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-05-18 12:05 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 20:34 2159104 C:\Windows\System32\oobefldr.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 23:59 417792]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"HuaWeiEVDO.exe"="C:\Program Files\Huawei technologies\Mobile Connect\Mobile Connect.exe" [2007-10-09 11:58 925696]
"ares"="C:\Program Files\Ares\Ares.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 15:50 4399104 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-20 11:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-20 11:07 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-20 11:07 129560]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-02 13:36 835584]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 23:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 11:46 448632]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-03-23 14:41 538744]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-03-21 17:23 413696]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-05-16 11:51 949376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36 229376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

C:\Users\TOSHIBA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-19 03:21:09 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C902BB4C-47D3-4F0C-8D16-C4F19F126686}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{57714F56-E0CC-4A60-B926-00DE69F5F56F}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{488B65FD-EEEF-48F7-9633-FD68B5ADCD5C}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{8C8B1178-3CD6-446E-B31D-51C9F9BB6A6B}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{6A420FCC-F3A3-47B1-858E-4702BD3B087E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{4DB7550B-1C9F-40FA-A163-24BF84A7B229}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{5DA34A77-1362-4FB4-B5B6-98E97EF45C60}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{AA02A5DC-A07B-4B56-934B-3714CC5FF247}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{18B1B8B1-4E35-4A12-B1CA-944B00BAF1FD}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{171F1DD0-1514-4347-A37A-B7655367A0E4}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{BFCDE734-DAC6-4B3F-B1DD-1177934F7EA4}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{80F1A701-BF14-4F4B-B139-4D831F5390C3}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{9F69B517-F7E3-4F8F-8AF9-034AF0FC63CF}C:\\program files\\ares\\ares.exe"= UDP:C:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{231FD8B2-47D6-4D5B-8619-A8A05C7FF3C7}C:\\program files\\ares\\ares.exe"= TCP:C:\program files\ares\ares.exe:Ares p2p for windows

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 tos_sps32;TOSHIBA tos_sps32 Service;C:\Windows\system32\DRIVERS\tos_sps32.sys [2007-09-19 10:59]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 TNaviSrv;TOSHIBA Navi Support Service;C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2007-09-19 11:01]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-26 12:55]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 13:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-09-13 15:23]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-19 02:50]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-03-12 21:47]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-01-10 01:00]
S3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2006-11-02 15:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f6bbee-27c7-11dd-9af7-001cbfcdd3e3}]
\shell\AutoRun\command - E:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ebe81b2-2ae8-11dd-bcd6-001cbfcdd3e3}]
\shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c58070d-2a17-11dd-bbf6-001e3331441a}]
\shell\AutoPlay\command - wscript.exe \saifulfaizan.js
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js
\shell\Explore\command - wscript.exe \saifulfaizan.js -Clicked
\shell\Open\command - wscript.exe \saifulfaizan.js
\shell\Scan for Viruses\command - wscript.exe \saifulfaizan.js
\shell\Scan with AVG\command - wscript.exe \saifulfaizan.js
\shell\Scan with Norton AntiVirus\command - wscript.exe \saifulfaizan.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d50ed21-29ab-11dd-a1c0-001cbfcdd3e3}]
\shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d50ed4c-29ab-11dd-a1c0-001e3331441a}]
\shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db2532ca-272a-11dd-ba7a-001cbfcdd3e3}]
\shell\AutoPlay\command - wscript.exe \saifulfaizan.js
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js
\shell\Explore\command - wscript.exe \saifulfaizan.js -Clicked
\shell\Open\command - wscript.exe \saifulfaizan.js
\shell\Scan for Viruses\command - wscript.exe \saifulfaizan.js
\shell\Scan with AVG\command - wscript.exe \saifulfaizan.js
\shell\Scan with Norton AntiVirus\command - wscript.exe \saifulfaizan.js

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 02:20:35 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-26 06:12:36 C:\Windows\Tasks\User_Feed_Synchronization-{11EA8DFC-B6F5-4624-B338-034E421E2214}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 14:13:07
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????uP0????(?-?P?-???-???-???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 14:14:07
ComboFix-quarantined-files.txt 2008-05-26 06:13:41
ComboFix2.txt 2008-05-25 15:17:42

Pre-Run: 94,812,381,184 bytes free
Post-Run: 94,786,908,160 bytes free

315 --- E O F --- 2008-05-23 13:30:17

GameMaster · May 26, 2008

OK, seems that the log is same. And that wscript doesn't seem like an infection; seems that you're using two antiviruses and that's not good. AVG and Norton. Correct me if I'm wrong.

jjeisse · May 26, 2008

GameMaster said:
OK, seems that the log is same. And that wscript doesn't seem like an infection; seems that you're using two antiviruses and that's not good. AVG and Norton. Correct me if I'm wrong.

Umm from what i know , i dont think i have those two installed

GameMaster · May 26, 2008

Oh...

shell\Scan with AVG\command - wscript.exe \saifulfaizan.js
\shell\Scan with Norton AntiVirus\command - wscript.exe \saifulfaizan

Funny...let's try this:
1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Begin copying here:
Files to delete: 
C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Somehow I doubt this will work but it's worth trying.
I don't think that I could instruct you how to edit the registry values very well, since my English isn't that good and I'm not allowed to use one tool that would make this a lot easier. Let's pray Avenger will do the job but... well let's hope.

jjeisse · May 27, 2008

GameMaster said:
Oh...
Funny...let's try this:
1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."

Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Begin copying here: Files to delete: C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.

You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.

Click on Execute

Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Somehow I doubt this will work but it's worth trying.
I don't think that I could instruct you how to edit the registry values very well, since my English isn't that good and I'm not allowed to use one tool that would make this a lot easier. Let's pray Avenger will do the job but... well let's hope.

do i do this scan with my thumbdrive inserted?

this is the log file : - ( don't think it found anything )

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open file "C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js"
Deletion of file "C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \saifulfaizan.js" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

new notebook ...

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member