Another Win Blue Virus. Help Please

I found out the original source was from form iPod recycler virus. I would like to run a check on the iPod itself after this but I don't know. Anyway, I can run everything on the laptop but I can't get the report from Hijack This because it denies me entry into in the C:, saying something about a RECYCLE error. Should I run MGTools and upload the log? Thanks again for the help.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

It after the scan it won't open up the notepad like it usually does and I can't get access to it. I could screen capture the scan itself and post it if that works, or is there another way?

Try to rename Hijackthis to anythign for example Hijkachuis.exe then run the above instructions to see if you can get the log.

No dice.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Avenger won't open. And for the Hijack Log, I was looking around a bit and it's blocking text documents in general.

The c drive error is just an autorun.inf file.

Go into "My Computer", then right click the C: drive > Explore.

Run MGTools if you can.

MG Tools gets to the command screen but then shuts down and Hijack this scans but I don't know where it's saving the log if it's making one at all.

It's insdie the folder called MGTools inside the C drive.

Oh ok, thank you very much. Here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:53 AM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\MGtools\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Run] C:\Documents and Settings\Bao-Chau\Application Data\Adobe\Player.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm238YYUS
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/CursorManiaFWBInitialSetup1.0.1.0.cab
O20 - AppInit_DLLs: blocker.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 10718 bytes

Hello.
Is this log from the same machine we cleaned before? anyhow, you have the newest version. That setup2.exe is now tempo-setup2.exe

• Open HijackThis (remember it's called "Analyse.exe")
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
  O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
  O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
  O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
  O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
  O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
  O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
  O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
  O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
  O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
  O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
  O4 - HKCU\..\Run: [Run] C:\Documents and Settings\Bao-Chau\Application Data\Adobe\Player.exe
  O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
  O4 - HKUS\S-1-5-18\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [tempo-setup2.exe] C:\WINDOWS\system32\tempo-setup2.exe (User 'Default user')
  O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm238YYUS
  O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/CursorManiaFWBInitialSetup1.0.1.0.cab
  O20 - AppInit_DLLs: blocker.dll
  O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Next,

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Trend Micro)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

No, someone installed an iPod virus remover on the previous and now this one.

I ran Hijack This and Removed everything posted but combo-fix won't open. It might be the anti-virus that's blocking but I can't disable because it won't let me open Trend Micro. On that note, I can't run regedit either. Should I go and find the setup2, ieocx and sysav?

Hello.
Try running Combofix in safe mode, also, did you rename it as Combo-Fix?

Try and delete the following files/folders in bold. Do you remember how to unhide system files? one of these files to delete are in a hidden system folder.

C:\Program Files\WinBlueSoft Software <== folder
C:\Program Files\MyWebSearch <== folder
C:\WINDOWS\system32\tempo-setup2.exe <== file
C:\WINDOWS\system32\blocker.dll <== file
C:\Documents and Settings\Bao-Chau\Application Data\Adobe\Player.exe <== file

It's the blocker.dll. Do I need the .inf file again?

Not if the O20 is gone in Hijack This.
Try manually deleting the files as I asked.

The only one I found was blocker.dll. Everything else has been deleted.

Hello.

• Open HijackThis
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Delete a file on reboot..."
  
• Locate this file: C:\Windows\system32\blocker.dll
  
• Okay any prompt and select yes to reboot.
  

Then after reboot, see if you can delete the O20 item again in a normal Hijack This run.

Here's the log:

ComboFix 09-05-31.06 - Bao-Chau 06/02/2009 18:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.161 [GMT -6:00]
Running from: c:\documents and settings\Bao-Chau\Desktop\Combo-Fix.exe
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0102A84F.urr
c:\program files\FunWebProducts\Shared\0004E01B.dat
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0028E953
c:\program files\MyWebSearch\bar\Cache\002900F2.bin
c:\program files\MyWebSearch\bar\Cache\002901CD.bin
c:\program files\MyWebSearch\bar\Cache\002902C7.bin
c:\program files\MyWebSearch\bar\Cache\002903B1.bin
c:\program files\MyWebSearch\bar\Cache\002D0F37.bin
c:\program files\MyWebSearch\bar\Cache\002D12D1.bin
c:\program files\MyWebSearch\bar\Cache\0079C130
c:\program files\MyWebSearch\bar\Cache\007F2716
c:\program files\MyWebSearch\bar\Cache\00D3BFD3
c:\program files\MyWebSearch\bar\Cache\01301A76
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\bar\Settings\settings.dat.bak
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\windows\1034v9rus58z.cpl
c:\windows\10355not-a-9zru55f3.exe
c:\windows\10544no9za-virus3b4.cpl
c:\windows\105z9worm7a95.ocx
c:\windows\10685sp9mbot5az.exe
c:\windows\1188zhac95ool535.ocx
c:\windows\12049ownloader25z9.ocx
c:\windows\12302not-a-5irus90z.ocx
c:\windows\12527hack9ozl39b.ocx
c:\windows\1259down9oader2z49.ocx
c:\windows\1259vzr2867.dll
c:\windows\12984hack5ool19z.exe
c:\windows\129e5pyzare2593.exe
c:\windows\12z25spy9d7.ocx
c:\windows\12z39troj592.exe
c:\windows\13209zp9655.bin
c:\windows\133ddowz9oa5er1509.bin
c:\windows\135z9spy6659.dll
c:\windows\13628zackto595a2.ocx
c:\windows\137z29acktool555.bin
c:\windows\13869teaz2915.bin
c:\windows\14533h9cktool2zc5.ocx
c:\windows\149zdownlo5der872.ocx
c:\windows\15105troj609z.exe
c:\windows\15519hacktool17z.ocx
c:\windows\15583hackt9olzda.exe
c:\windows\15836trojzac9.bin
c:\windows\15840sp94z8.dll
c:\windows\1591hackto5l4z5.ocx
c:\windows\15935worz1d9.cpl
c:\windows\1597tz5eat16046.cpl
c:\windows\15b6thief915z.cpl
c:\windows\15z67wo5m96c.bin
c:\windows\15z71spam9ot230.dll
c:\windows\16185spa5bot9z9.dll
c:\windows\161zvirus95f.exe
c:\windows\16484z95mbot2d7.dll
c:\windows\16511zor935c.cpl
c:\windows\1695worz5f.exe
c:\windows\1747addwa5e923z.cpl
c:\windows\179z15orm45b.exe
c:\windows\1816vi59z3f2.dll
c:\windows\18399virzs658.dll
c:\windows\19028spa9boz725.ocx
c:\windows\193985iruz2df.ocx
c:\windows\193z6troj6c5.exe
c:\windows\19555worz9b.dll
c:\windows\19579szy548.dll
c:\windows\196z0worm7459.ocx
c:\windows\197z5not-a-vi5us341.bin
c:\windows\19990ha5ktooz7bf9.bin
c:\windows\19cdthiefz2705.cpl
c:\windows\1b4faddw5re1941z.cpl
c:\windows\1d955ddwarz179.bin
c:\windows\1df5vir1986z.bin
c:\windows\1f0ca9dware5z5.bin
c:\windows\1z000h9cktool5b1.bin
c:\windows\1z41t5ief259.exe
c:\windows\20757spy4c9z.bin
c:\windows\20919spazbot1885.dll
c:\windows\20985not9a-5irzs26.dll
c:\windows\211z0not9a-viru5318.cpl
c:\windows\21867ha9ktoolza5.cpl
c:\windows\21997vizu55e7.exe
c:\windows\2199vir202z5.bin
c:\windows\21z91tr5j3c0.bin
c:\windows\22219pamb5t5dz.dll
c:\windows\22426n9t-a-5irusz2f.dll
c:\windows\2249downloader123z5.cpl
c:\windows\2252threa9253z1.bin
c:\windows\229215ackt9olz82.dll
c:\windows\22945sp9mbzt75b.dll
c:\windows\23179zo954b.ocx
c:\windows\235fthz5f9199.ocx
c:\windows\237839pz77d5.exe
c:\windows\23855irz9789.dll
c:\windows\23908h9cktzol425.cpl
c:\windows\23994zpy5fa.bin
c:\windows\23d5t5zeat118919.bin
c:\windows\24294not-a-v5rzs6aa.ocx
c:\windows\24507not9z-virus2d8.cpl
c:\windows\245665ir9sz4.bin
c:\windows\245fth5ef2z19.ocx
c:\windows\248not-a-59rus62z.dll
c:\windows\2490bac9door115z.bin
c:\windows\251z79roj57.cpl
c:\windows\25264tz9j56f.ocx
c:\windows\25480sp9mbotz5c.dll
c:\windows\2553threat9018z.exe
c:\windows\25549haz9tool6da.dll
c:\windows\25590zorm1bb.exe
c:\windows\255aspywaze1905.exe
c:\windows\255spy9arz85.bin
c:\windows\2595spzware503.dll
c:\windows\259z7hacktool25.cpl
c:\windows\25c0st9a52z51.bin
c:\windows\25cetz9ea519398.bin
c:\windows\26295not-a-v5ruszc9.cpl
c:\windows\26953zirus529.dll
c:\windows\2769spambo573ez.bin
c:\windows\2786bzc5door1491.ocx
c:\windows\27903notz9-vi5us142.bin
c:\windows\27950not5azv9rusbc.exe
c:\windows\2805vi99z9.bin
c:\windows\28095spambo57z0.dll
c:\windows\284479ot-z-vir5s2a4.bin
c:\windows\2855zha5kt9old8.ocx
c:\windows\28759za5ktool5d69.cpl
c:\windows\2890thr5at3073z.cpl
c:\windows\28da9hz5f2528.exe
c:\windows\28z65w9rm53b.ocx
c:\windows\29126trzj519.ocx
c:\windows\291915a9ktool65az.bin
c:\windows\29213szy256.dll
c:\windows\2960zhacktool335.exe
c:\windows\29895not-a-virus4zc.exe
c:\windows\29b1spazse1959.exe
c:\windows\29b8downloa5er9z3.exe
c:\windows\2a9bbac9d5oz2707.bin
c:\windows\2bb8z59eat29985.ocx
c:\windows\2e85thre9t5781z.dll
c:\windows\2e9bzpyware5339.dll
c:\windows\2z59t5ief9659.bin
c:\windows\2z684tr9j27b5.ocx
c:\windows\2zeasparse5964.ocx
c:\windows\30099tro9495z.bin
c:\windows\30492spy5z25.dll
c:\windows\30908wozm36e5.exe
c:\windows\309z89py1195.dll
c:\windows\31335sp9z17.dll
c:\windows\31892no9-a-vir5s245z.exe
c:\windows\319z3hack5ool487.cpl
c:\windows\32109w5zm24e.exe
c:\windows\3255spyware29z9.bin
c:\windows\3256zwor9645.cpl
c:\windows\32591noz-a-viru55b0.dll
c:\windows\32z18troj995.bin
c:\windows\3428backdoor9z55.dll
c:\windows\3500vir99z7.dll
c:\windows\355zac9doo52311.ocx
c:\windows\35c5thie931z0.bin
c:\windows\36779r5z16b.bin
c:\windows\36b9downlo9d5r332z.exe
c:\windows\379zpam5ot2d8.ocx
c:\windows\3849sp5zs92629.dll
c:\windows\3929szyware1335.cpl
c:\windows\3995thief22z6.bin
c:\windows\39ethi5f577z.dll
c:\windows\39z6steal5494.exe
c:\windows\3aed5pzrse2928.cpl
c:\windows\3ba9zd9ware2594.ocx
c:\windows\3c3e9zr2524.dll
c:\windows\3c5s9eal236z.dll
c:\windows\3d50ste9l5z14.dll
c:\windows\3z515s9y7c1.cpl
c:\windows\3zd6do5n9oader1737.cpl
c:\windows\3ze2steal31559.exe
c:\windows\405ezackdoor9590.exe
c:\windows\411cs5zrs92594.exe
c:\windows\4259szambo553.ocx
c:\windows\429dback59or1z06.ocx
c:\windows\45df59ief2633z.dll
c:\windows\45e7zi95085.cpl
c:\windows\4614vi5us7z9.dll
c:\windows\4671ste951817z.bin
c:\windows\4700spywzr53259.bin
c:\windows\4701s951z9.cpl
c:\windows\47zcspar5991.dll
c:\windows\4904spyza5e1627.cpl
c:\windows\495bv5r81z.bin
c:\windows\49b4addwa59z755.ocx
c:\windows\4a2fste9z5101.dll
c:\windows\4a77addw95e1z73.exe
c:\windows\4b1czownloader9505.exe
c:\windows\4bf4s5ywzre2932.bin
c:\windows\4c69vi52284z.exe
c:\windows\4d7csp9r5e1086z.bin
c:\windows\4dzfaddwar52940.ocx
c:\windows\4e35sparsz9478.bin
c:\windows\4fc0t9rezt8553.ocx
c:\windows\4fd7tz9eat12150.cpl
c:\windows\4z52dow9loader1070.dll
c:\windows\5016spy9zre2357.exe
c:\windows\502dthrezt95621.exe
c:\windows\503fspyzar524239.ocx
c:\windows\5059doznloader9059.ocx
c:\windows\50bdvzr15189.ocx
c:\windows\50f0sze9l27.cpl
c:\windows\5121tro919ez.ocx
c:\windows\51794wzr91bd.ocx
c:\windows\51b0vzr2499.cpl
c:\windows\52z2virus4d39.cpl
c:\windows\5362thi9f55z.dll
c:\windows\5368sp5zse1209.cpl
c:\windows\53fzspywa9e5363.cpl
c:\windows\546downloade59445z.ocx
c:\windows\54c2sp9zare2579.ocx
c:\windows\5523thi9526z5.ocx
c:\windows\5581spywaze24939.dll
c:\windows\5594ba5zdoor3108.exe

c:\windows\55e0steaz9032.ocx
c:\windows\55z29ackdoor1785.dll
c:\windows\569asp5rze2922.bin
c:\windows\56czspy5a9e3257.cpl
c:\windows\5798threzt24131.dll
c:\windows\57f6spyzar514829.cpl
c:\windows\58295pambot3acz.exe
c:\windows\587195oj5fz.bin
c:\windows\58798troj743z.dll
c:\windows\5894zspy369.bin
c:\windows\5905worm905z.exe
c:\windows\5911sp5war91z96.ocx
c:\windows\59257spy69z9.exe
c:\windows\5929addwarez08.cpl
c:\windows\59397zot-a-virus90a.cpl
c:\windows\59694hacztoo92b4.bin
c:\windows\598zh5c9tool13.cpl
c:\windows\5991zackdoo92599.dll
c:\windows\5bz5sparse9679.cpl
c:\windows\5c159tezl648.cpl
c:\windows\5c39sparsez968.bin
c:\windows\5cddspar9e200z.ocx
c:\windows\5cebspyware3z09.cpl
c:\windows\5cf9t59zf2113.ocx
c:\windows\5d6addwzre984.bin
c:\windows\5e7zsteal49.dll
c:\windows\5e85b9ck5oor2z0.exe
c:\windows\5ec5add9arz760.cpl
c:\windows\5z53downloader9189.exe
c:\windows\5ze695reat24966.exe
c:\windows\60e19zwnloader1553.bin
c:\windows\6106backdoo59z12.bin
c:\windows\6128do5nloader9z49.exe
c:\windows\61ddz9reat55907.exe
c:\windows\636zthreat232985.bin
c:\windows\63b39ackdozr2365.exe
c:\windows\64d5zhreat12319.dll
c:\windows\653zs9eal1665.exe
c:\windows\6567zroj59d.exe
c:\windows\6599stzal5956.cpl
c:\windows\659d9ackd5oz835.ocx
c:\windows\65ezbac59oor255.ocx
c:\windows\65z4threat17329.dll
c:\windows\66e4zackdo9r4115.bin
c:\windows\66zebac5door14489.dll
c:\windows\6719addware3095z.exe
c:\windows\6862ste5l1z39.dll
c:\windows\6930not-a-zi9us3de5.exe
c:\windows\693dthr59t2z197.dll
c:\windows\6a1et5izf15519.cpl
c:\windows\6d3st5al9934z.ocx
c:\windows\6eb1thrza595684.exe
c:\windows\6ed5spyware1z9.exe
c:\windows\6f3ethi951z55.ocx
c:\windows\6z095pyware1279.ocx
c:\windows\6z5459r780.cpl
c:\windows\7155zhi9f1686.ocx
c:\windows\71565ro92za.cpl
c:\windows\7173w9r56z9.cpl
c:\windows\72259orz679.ocx
c:\windows\7369irus7zd5.dll
c:\windows\7379ba5kdoorz21.bin
c:\windows\7395s5y24bz.bin
c:\windows\754c9hreat551z.bin
c:\windows\7563b9ckdoor290z.bin
c:\windows\7598addzare3092.ocx
c:\windows\7669hre5t6239z.cpl
c:\windows\769p517z.exe
c:\windows\776sz9ware16295.dll
c:\windows\7799sp5ware1077z.ocx
c:\windows\7933zroj457.exe
c:\windows\7949vir125z.cpl
c:\windows\7962b5ckdozr1458.exe
c:\windows\797dthief5z81.dll
c:\windows\7a6zspywa9e14935.bin
c:\windows\7d655zyware9815.cpl
c:\windows\7ebaszars92205.bin
c:\windows\8043no9-a-virzs355.exe
c:\windows\85169p5z49.ocx
c:\windows\8590szambot29e.cpl
c:\windows\8596virzs151.ocx
c:\windows\8935hacztool211.ocx
c:\windows\8z35sp59e5.dll
c:\windows\9002w5rz56b.exe
c:\windows\9122znot-a-virus38b5.bin
c:\windows\91264t5ojzb1.exe
c:\windows\916z5troj288.dll
c:\windows\91bfdownloa5zr2584.bin
c:\windows\92zdsparse2957.ocx
c:\windows\935z7spambot4605.exe
c:\windows\935zspywa5e2250.cpl
c:\windows\935zworm525.cpl
c:\windows\93dszarse2541.ocx
c:\windows\94055vi5us2z2.cpl
c:\windows\94153nz5-a-virus33.bin
c:\windows\942925izusc5.cpl
c:\windows\9476wo5m197z.cpl
c:\windows\94z7sparse885.dll
c:\windows\9567vzru5579.ocx
c:\windows\95a2backdooz2857.dll
c:\windows\95a6zhreat8354.bin
c:\windows\969threaz52291.bin
c:\windows\98112viruz458.exe
c:\windows\983z5viru5696.bin
c:\windows\986zvir145.dll
c:\windows\98895roj5z3.ocx
c:\windows\9969virus85z.ocx
c:\windows\99901worm5fz.ocx
c:\windows\9bf95ackdoor31z2.bin
c:\windows\9c44vir2545z.dll
c:\windows\9d0zpars52295.exe
c:\windows\9e0fb5ckzoor1920.dll
c:\windows\9e51sparze120.dll
c:\windows\9f3dspa5se1967z.ocx
c:\windows\af9zir1057.cpl
c:\windows\b92downloadzr1185.dll
c:\windows\b99thiefz857.dll
c:\windows\c0add5aze30489.dll
c:\windows\c9fzteal5011.ocx
c:\windows\d5czd9ware1618.bin
c:\windows\dc8z59ef949.cpl
c:\windows\f03stea95886z.bin
c:\windows\f15s9eal3z65.ocx
c:\windows\f40addwz592977.ocx
c:\windows\fb9szarse54539.cpl
c:\windows\system32\10257spy3z59.exe
c:\windows\system32\10915hzcktool399.dll
c:\windows\system32\10962wzr58.dll
c:\windows\system32\11086not-a-9irus5z1.cpl
c:\windows\system32\11z54w5rm49c.exe
c:\windows\system32\12455virzs5c49.dll
c:\windows\system32\12879spz5bot375.dll
c:\windows\system32\1293spam9ot5fz.dll
c:\windows\system32\13685z9y5a1.exe
c:\windows\system32\13994hacktoz5103.ocx
c:\windows\system32\13caa5d9arz2790.cpl
c:\windows\system32\13e79ackdoor5973z.bin
c:\windows\system32\13z665acktool94.cpl
c:\windows\system32\13zfvir5996.ocx
c:\windows\system32\14246s5y9e5z.ocx
c:\windows\system32\143z9not-a-vir5s6cb.ocx
c:\windows\system32\14650zpamb9t50d.bin
c:\windows\system32\14915vir5s61fz.cpl
c:\windows\system32\15037virusz94.cpl
c:\windows\system32\15264vzrus49b.bin
c:\windows\system32\15286hacztool4a9.exe
c:\windows\system32\15356zacktool2849.ocx
c:\windows\system32\153zbac5door12039.ocx
c:\windows\system32\1549zw5rm7f.dll
c:\windows\system32\15539vir5s5cfz.dll
c:\windows\system32\1576059zj420.cpl
c:\windows\system32\15765h9ckzool179.bin
c:\windows\system32\15909sp5z9c.cpl
c:\windows\system32\15z939irus551.dll
c:\windows\system32\15z95spy37.bin
c:\windows\system32\15z97not-a-viru976d.exe
c:\windows\system32\16049pywzr53111.cpl
c:\windows\system32\16777h95kzool276.bin
c:\windows\system32\1739zownloa9er7465.bin
c:\windows\system32\1856zsp9mbot450.bin
c:\windows\system32\185z9i5us488.exe
c:\windows\system32\1889adzware1355.exe
c:\windows\system32\18933tzo5398.cpl
c:\windows\system32\189fback5oor54z9.bin
c:\windows\system32\19038tr5j59z.cpl
c:\windows\system32\19053vzrus5695.dll
c:\windows\system32\1929not-azviruse95.dll
c:\windows\system32\193z35py523.bin
c:\windows\system32\1945tzi9f1888.bin
c:\windows\system32\19555troj58az.dll
c:\windows\system32\19726tzoj185.ocx
c:\windows\system32\19750trzj95.exe
c:\windows\system32\19824virzs685.cpl
c:\windows\system32\1989pam5oz80.bin
c:\windows\system32\19949w9rm3z25.dll
c:\windows\system32\19965zirus591.ocx
c:\windows\system32\1af5addwaze8359.bin
c:\windows\system32\1d39dowzl5ader2350.exe
c:\windows\system32\1d65downlozde51697.bin
c:\windows\system32\1z009w5rm76.exe
c:\windows\system32\1z09ownlo5der2058.dll
c:\windows\system32\1z8955i9us54f.bin
c:\windows\system32\20060spazbot59d5.ocx
c:\windows\system32\20110spamb5tz9d.cpl
c:\windows\system32\20217sz9395.ocx
c:\windows\system32\20529s9zmbot50d.exe
c:\windows\system32\2069ztroj5bb.dll
c:\windows\system32\20736spy9e5z.exe
c:\windows\system32\2099vi51049z.cpl
c:\windows\system32\20z7spyware21295.bin
c:\windows\system32\21323no9-a-vizus225.exe
c:\windows\system32\21846s9y39z5.dll
c:\windows\system32\21869zroj7579.cpl
c:\windows\system32\21z42spy19b5.ocx
c:\windows\system32\2252zspambot39.bin
c:\windows\system32\22534s9amzot3a5.cpl
c:\windows\system32\2271no5-a-zirus129.cpl
c:\windows\system32\23498spambzt29e5.exe
c:\windows\system32\239559zy1b55.bin
c:\windows\system32\2397tz5eat10185.cpl
c:\windows\system32\24462zot9a-v5rus700.cpl
c:\windows\system32\2451not-z-virus297.ocx
c:\windows\system32\24958hzcktool2585.exe
c:\windows\system32\249z9spy9025.cpl
c:\windows\system32\25212tr9jzd5.bin
c:\windows\system32\25353z9rm46e.dll
c:\windows\system32\2538h5c9tozlb9.ocx
c:\windows\system32\253hzcktoo914f.dll
c:\windows\system32\25549spazbot115.bin
c:\windows\system32\25752viruz5295.ocx
c:\windows\system32\25823noz-9-virus4a6.exe
c:\windows\system32\2586vzrus159.ocx
c:\windows\system32\25945worm34dz.bin
c:\windows\system32\259down59adzr659.exe
c:\windows\system32\25b3tzreat93615.cpl
c:\windows\system32\25c5a5dzare19839.dll
c:\windows\system32\25z4back9oor2457.exe
c:\windows\system32\264dsteal95z.ocx
c:\windows\system32\26639h5cktzol59c.exe
c:\windows\system32\275359pambotz88.ocx
c:\windows\system32\27th9ef57z.cpl
c:\windows\system32\28260spz95d5.cpl
c:\windows\system32\299375pz2c.bin
c:\windows\system32\29z61worm495.bin
c:\windows\system32\29z815roj3a.bin
c:\windows\system32\2a2fba95zoor788.exe
c:\windows\system32\2bbczteal11359.dll
c:\windows\system32\2c8cspar5e1960z.exe
c:\windows\system32\2d6zspyware31395.ocx
c:\windows\system32\2d9backdzor2454.cpl
c:\windows\system32\2e5zad5ware498.exe
c:\windows\system32\2e7dth5zf9149.bin
c:\windows\system32\2f6bb5zkdoor9527.bin
c:\windows\system32\2z207spamb9t356.ocx
c:\windows\system32\2z5bback9oor92.dll
c:\windows\system32\2ze5v9r1325.ocx
c:\windows\system32\3015trz959f.dll
c:\windows\system32\304dste5lz8919.bin
c:\windows\system32\306895pz2cb.exe
c:\windows\system32\30812virzs9c05.exe
c:\windows\system32\30z73no9-a-vir5s3a5.cpl
c:\windows\system32\31075tr5j19z.bin
c:\windows\system32\317559irus58cz.exe
c:\windows\system32\319z2spambot7a95.cpl
c:\windows\system32\3203zhief1595.dll
c:\windows\system32\324cspywzre27995.cpl
c:\windows\system32\3398dow5loazer1200.cpl
c:\windows\system32\33b9sp5rze1899.cpl
c:\windows\system32\3489s5yware297z.ocx
c:\windows\system32\351bst9al323z.ocx
c:\windows\system32\351edo9nloader935z.dll
c:\windows\system32\3539vi5uz6c2.cpl
c:\windows\system32\3625zi91120.ocx
c:\windows\system32\3659vir127z.cpl
c:\windows\system32\3768t9zef1555.dll
c:\windows\system32\3919zpamb5t1d6.exe
c:\windows\system32\394fbackzoor6315.bin
c:\windows\system32\3951z5ief1129.dll
c:\windows\system32\3954baczdoor2825.dll
c:\windows\system32\3985spambotzb55.bin
c:\windows\system32\398f5parsez38.bin
c:\windows\system32\398z7wo5m28b.bin
c:\windows\system32\39908not-a-5iruz542.bin
c:\windows\system32\3992a5dware295z.ocx
c:\windows\system32\39dzspywar52197.dll
c:\windows\system32\3c11d5wnlozder9167.exe
c:\windows\system32\3c1ddown5oaze92539.exe
c:\windows\system32\3cfadown5za9er1288.bin
c:\windows\system32\3d59s9arse21z1.exe
c:\windows\system32\3ea9sz59are2198.dll
c:\windows\system32\3f05st9al1691z.cpl
c:\windows\system32\3z0wor5698.bin
c:\windows\system32\3z7169o5m5c.cpl
c:\windows\system32\3zb0do5n9oader2220.bin
c:\windows\system32\3ze5down9oader18845.ocx
c:\windows\system32\405addzar989.exe
c:\windows\system32\4097ba5kdooz2951.exe
c:\windows\system32\409bviz5344.cpl
c:\windows\system32\44405ze9l1203.bin
c:\windows\system32\45a89hzef1411.bin
c:\windows\system32\45eb9hzeat228295.cpl
c:\windows\system32\4690threa51461z.dll
c:\windows\system32\469b5pywarez897.bin
c:\windows\system32\46f15hrea9z0196.cpl
c:\windows\system32\47345pa9zot65d.ocx
c:\windows\system32\4815trzj24d9.exe
c:\windows\system32\49z3thre5t271969.cpl
c:\windows\system32\4a69a5kdzor596.exe
c:\windows\system32\4ae2downlo5derz9669.cpl
c:\windows\system32\4c47ztea9595.exe
c:\windows\system32\4d53spyware9415z.exe
c:\windows\system32\4e4cb5c9dooz666.cpl
c:\windows\system32\4e77szeal9835.dll
c:\windows\system32\4f05doznloader57919.exe
c:\windows\system32\4z6f9ownloader2503.dll
c:\windows\system32\4z89thief3536.dll
c:\windows\system32\50709ot-azvirus168.exe
c:\windows\system32\50925virus49z.exe
c:\windows\system32\51455sz9744.exe
c:\windows\system32\51825hackzoo9491.bin
c:\windows\system32\51z69spambot3e8.exe
c:\windows\system32\5259add9zr5994.exe
c:\windows\system32\5292spamzot3e.ocx
c:\windows\system32\529dzwnloader73.exe
c:\windows\system32\52d2vir94z.exe
c:\windows\system32\5388thre9t24458z.exe
c:\windows\system32\539caddwaze9185.dll
c:\windows\system32\53f3t95ez999.exe
c:\windows\system32\5429addwa5ez7839.dll
c:\windows\system32\545779roj5z4.bin
c:\windows\system32\54z75hreat8961.ocx
c:\windows\system32\5545hacktooz9e.ocx
c:\windows\system32\555fbaczdo9r756.dll
c:\windows\system32\555stealz898.dll
c:\windows\system32\559ba5dwarez321.exe
c:\windows\system32\55c59ackdozr2644.cpl
c:\windows\system32\55fthzef9129.ocx
c:\windows\system32\55z0worm5869.exe
c:\windows\system32\5643sparsez8985.dll
c:\windows\system32\5695spamz9tb9.exe
c:\windows\system32\56d95teal2193z.cpl
c:\windows\system32\571709zambot107.bin
c:\windows\system32\5757backdo9rz399.dll
c:\windows\system32\575fthrezt9909.exe
c:\windows\system32\577549acktool3az.cpl
c:\windows\system32\58509zdware999.bin
c:\windows\system32\587espy9are1650z.dll
c:\windows\system32\5903downloazer5884.ocx
c:\windows\system32\5952szea51733.ocx
c:\windows\system32\595cthizf656.exe
c:\windows\system32\595fthiefz702.cpl
c:\windows\system32\595thz9f652.exe
c:\windows\system32\5965th5efz257.dll
c:\windows\system32\596cstea5z937.dll
c:\windows\system32\597599rojz8f.exe
c:\windows\system32\59819pzrse25955.bin
c:\windows\system32\59947w9rm2fz.cpl
c:\windows\system32\599vz9515.bin
c:\windows\system32\59b9thre5t19713z.dll
c:\windows\system32\59z3hacktool796.ocx
c:\windows\system32\5a66th5efz191.ocx
c:\windows\system32\5b29sza5se25409.exe
c:\windows\system32\5c78th5ef2z99.cpl
c:\windows\system32\5d50backzoo92918.bin
c:\windows\system32\5d94downloadez259.cpl
c:\windows\system32\5dzath5e9930.exe
c:\windows\system32\5e05down5oade9188z.exe
c:\windows\system32\5e20b9ckdoor9z5.dll
c:\windows\system32\5e48spy9zre1571.exe
c:\windows\system32\5e7athreat2z479.ocx
c:\windows\system32\5f59t9ief1842z.dll
c:\windows\system32\5f7a9pywaz53176.exe
c:\windows\system32\5fa5ste59z04.exe
c:\windows\system32\5z212spy159.bin
c:\windows\system32\5z989orm572.cpl
c:\windows\system32\5z99vir5s649.exe
c:\windows\system32\6058v9ruz5a7.bin
c:\windows\system32\6098vir1345z.dll
c:\windows\system32\60bb5ackdzo92478.ocx
c:\windows\system32\60fe5pyware2496z.exe
c:\windows\system32\6213spy9are1357z.dll
c:\windows\system32\6320dzw9loader4845.cpl
c:\windows\system32\6354steal32z9.ocx
c:\windows\system32\646zthr5at29919.exe
c:\windows\system32\64785pamzot39.bin
c:\windows\system32\6499do5nlozder3234.exe
c:\windows\system32\655bspywa5e42z9.ocx
c:\windows\system32\65bebackdoor146z9.cpl
c:\windows\system32\667not-a-vz9u52f7.ocx
c:\windows\system32\66e1b5ckzoor9830.ocx
c:\windows\system32\670a5zyware22029.exe
c:\windows\system32\6904szamb5t191.dll
c:\windows\system32\6911vzr355.cpl
c:\windows\system32\6991wzr535.ocx
c:\windows\system32\69e55tealz63.bin
c:\windows\system32\6a0695arsez6.bin
c:\windows\system32\6a20zddwar52719.bin
c:\windows\system32\6b24spyw5re3z39.ocx
c:\windows\system32\6cb09ddw5re9z1.cpl
c:\windows\system32\6d0zsp5ware26539.bin
c:\windows\system32\6d55add9are28z45.cpl
c:\windows\system32\6e95v9r5z18.dll
c:\windows\system32\6efdz9r3151.dll
c:\windows\system32\6f38dow5loader9z47.bin
c:\windows\system32\6z40backdo9r5363.cpl
c:\windows\system32\6ze8sparse95.dll
c:\windows\system32\7109virz5949.exe
c:\windows\system32\711cspars53z59.dll
c:\windows\system32\71b1ba9kdoorz051.cpl
c:\windows\system32\71e9downloadez1985.dll
c:\windows\system32\7263tz9j25.bin
c:\windows\system32\73189py53z.exe
c:\windows\system32\7399threat24598z.cpl
c:\windows\system32\746zhacktool9885.cpl
c:\windows\system32\751zbackdoor9742.dll

c:\windows\system32\759dvzr126.dll
c:\windows\system32\759szarse1427.ocx
c:\windows\system32\7639spywzre105.exe
c:\windows\system32\764esteal795z.cpl
c:\windows\system32\769bsteal292z5.bin
c:\windows\system32\7711do95loazer349.dll
c:\windows\system32\7835s957z6.cpl
c:\windows\system32\786cdo9nloa5zr1980.cpl
c:\windows\system32\79d7th5ef484z.ocx
c:\windows\system32\7a5bs9arze1310.exe
c:\windows\system32\7a5dthi9f935z.exe
c:\windows\system32\7c3ebzck5oor596.exe
c:\windows\system32\7c80down5zader1690.exe
c:\windows\system32\7dacsparse5951z.ocx
c:\windows\system32\7z43v9r17975.cpl
c:\windows\system32\855addw9re929z.dll
c:\windows\system32\85tzief2594.exe
c:\windows\system32\8d5stezl593.bin
c:\windows\system32\905z3not-a-virus17d.bin
c:\windows\system32\91f8zir2457.dll
c:\windows\system32\9225parse5z1.ocx
c:\windows\system32\9255hacktzol292.cpl
c:\windows\system32\94207not-a-vir5s29z.dll
c:\windows\system32\945szy260.exe
c:\windows\system32\946sparsz8215.ocx
c:\windows\system32\95150spambot4z0.ocx
c:\windows\system32\95196troj4z4.bin
c:\windows\system32\953znot5a-vir9s50.cpl
c:\windows\system32\9565vi9uz7.bin
c:\windows\system32\95858sp5mbzt7f0.bin
c:\windows\system32\95cfspywzre563.cpl
c:\windows\system32\9622szyware2355.bin
c:\windows\system32\96513spy1bz.ocx
c:\windows\system32\9651spywarz825.exe
c:\windows\system32\97z8spyware459.dll
c:\windows\system32\982spzrse95.ocx
c:\windows\system32\98386not-a-viruz105.cpl
c:\windows\system32\98a5stzal1450.exe
c:\windows\system32\9926zi52361.ocx
c:\windows\system32\99313hzcktoo58d.ocx
c:\windows\system32\99353tzoj358.ocx
c:\windows\system32\9b4zdownloader5092.cpl
c:\windows\system32\9c5bbackdoorz78.ocx
c:\windows\system32\9c78spz5se3027.ocx
c:\windows\system32\9e35spyware3063z.dll
c:\windows\system32\9e9steaz5929.exe
c:\windows\system32\9eczadd5are2605.cpl
c:\windows\system32\9etzie52801.dll
c:\windows\system32\9f185hreat781z.cpl
c:\windows\system32\9z00thief1548.ocx
c:\windows\system32\9z374spy645.exe
c:\windows\system32\a44baczdoor959.cpl
c:\windows\system32\a599zreat23160.cpl
c:\windows\system32\b04add9aze285.bin
c:\windows\system32\b47s5eal495z.ocx
c:\windows\system32\b695ackdoor276z.bin
c:\windows\system32\c1z5p9rse2110.cpl
c:\windows\system32\c5aadd9zr5261.exe
c:\windows\system32\e295pywarz2397.cpl
c:\windows\system32\ed5steaz25139.bin
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\z015ackdoo9715.cpl
c:\windows\system32\z1884spy695.cpl
c:\windows\system32\z3015wor91465.exe
c:\windows\system32\z339spa5bote4.dll
c:\windows\system32\z4992not-a-v5rus3b0.bin
c:\windows\system32\z5095orm62a9.cpl
c:\windows\system32\z50thief791.dll
c:\windows\system32\z5455w59m196.exe
c:\windows\system32\z5564v9rus5be.dll
c:\windows\system32\z595spyware875.exe
c:\windows\system32\z5b7th9ef2110.cpl
c:\windows\system32\z676not9a-viru579.dll
c:\windows\system32\z7339ha5ktool745.exe
c:\windows\system32\z75dbackd9or2296.bin
c:\windows\system32\z775hi9f72.ocx
c:\windows\system32\z795sparse3028.dll
c:\windows\system32\z7969spam5ot421.exe
c:\windows\system32\z8595spambot633.bin
c:\windows\system32\z885vir999.cpl
c:\windows\system32\z8955vi5us9e6.cpl
c:\windows\system32\z90thie52763.ocx
c:\windows\system32\z91cdownloader1715.ocx
c:\windows\system32\z922thief35.exe
c:\windows\system32\z92b5ackdoor808.ocx
c:\windows\system32\z9858troj750.cpl
c:\windows\system32\z9938not-a-virus5ee.ocx
c:\windows\system32\z994backd5or2873.cpl
c:\windows\system32\zb4bdownlo5der9549.ocx
c:\windows\system32\zd465tea9274.ocx
c:\windows\system32\ze54st9al551.bin
c:\windows\z0f5backdoor594.bin
c:\windows\z1295vir5s3f5.dll
c:\windows\z15955irus8c.bin
c:\windows\z1935parse986.bin
c:\windows\z298virus7e59.bin
c:\windows\z3674v95us1a3.exe
c:\windows\z3fath59at2851.dll
c:\windows\z4530wo9m356.dll
c:\windows\z5756worm59a5.ocx
c:\windows\z6986spy57b.bin
c:\windows\z69do5n9oader112.exe
c:\windows\z6e8spa5se492.exe
c:\windows\z77c9ddwa5e2318.cpl
c:\windows\z8614w9rm156.cpl
c:\windows\z9005ackdo9r2991.dll
c:\windows\z9448spy595.ocx
c:\windows\z969t5reat22591.bin
c:\windows\z9cvi91507.cpl
c:\windows\z9fes59ware2762.exe
c:\windows\za449p5ware1495.bin
c:\windows\za969teal598.ocx
c:\windows\zb5a9p5ware2365.bin
c:\windows\zd95vir99.dll
c:\windows\zefcthie91345.exe
c:\windows\zf19threat54333.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-02 02:15 . 2009-06-02 02:14 1164288 ----a-w- c:\windows\system32\tempo-setup2.exe
2009-05-30 01:46 . 2009-05-30 01:46 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\InterVideo
2009-05-30 01:04 . 2009-06-03 00:42 -------- d-----w- C:\MGtools
2009-05-29 16:26 . 2009-05-29 16:26 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\Malwarebytes
2009-05-29 01:34 . 2009-05-29 01:35 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\GetRightToGo
2009-05-13 20:33 . 2009-05-13 20:33 5419 ----a-w- c:\windows\system32\532noz59-virusd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 00:49 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\BitTorrent
2009-06-02 02:33 . 2008-09-27 21:44 -------- d-----w- c:\program files\Trend Micro
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\program files\DNA
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\DNA
2009-04-06 12:47 . 2008-09-22 01:36 -------- d-----w- c:\program files\AVS4YOU
2009-04-02 22:00 . 2008-09-27 21:48 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 22:00 . 2008-09-27 21:48 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 22:00 . 2008-09-27 21:48 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-04-02 00:01 . 2009-04-02 00:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-04-01 21:16 . 2009-04-01 21:16 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-14 04:40 . 2008-09-22 01:39 55800 ----a-w- c:\documents and settings\Bao-Chau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-13 02:34 . 2009-03-13 02:34 503808 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcp71.dll
2009-03-13 02:34 . 2009-03-13 02:34 499712 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\jmc.dll
2009-03-13 02:34 . 2009-03-13 02:34 348160 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcr71.dll
2009-03-13 02:24 . 2009-03-13 02:24 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 11:19 . 2008-12-04 04:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-08 02:12 . 2008-12-19 05:33 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-08-09 20:38 284160 ----a-w- c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-04-02 00:14 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-06 05:59 . 2008-09-07 04:08 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-15 492808]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2008-09-26 634672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-08-01 1093632]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/31/2005 6:08 PM 211200]

--- Other Services/Drivers In Memory ---

*Deregistered* - ACS
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CFSvcs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - DVD-RAM_Service
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Swupdtmr
*Deregistered* - TapiSrv
*Deregistered* - TBiosDrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - TMBMServer
*Deregistered* - tmcfw
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - TmPfw
*Deregistered* - tmpreflt
*Deregistered* - tmproxy
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 18:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Bao-Chau\Application Data\Mozilla\Firefox\Profiles\rgvhgajh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/my_subscriptions
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 19:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\WinRAR\rarext.dll
c:\program files\Sonic\RecordNow!\shlext.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Trend Micro\Internet Security\TmProxy.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\Internet Security\UfUpdUi.exe
c:\program files\Trend Micro\Internet Security\SfFnUp.exe
.
**************************************************************************
.
Completion time: 2009-06-03 19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 01:16

Pre-Run: 2,830,245,888 bytes free
Post-Run: 3,451,670,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

1075 --- E O F --- 2009-05-15 07:03

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\tempo-setup2.exe
c:\windows\system32\532noz59-virusd.exe
c:\program files\DNA
c:\documents and settings\Bao-Chau\Application Data\DNA

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-05-31.06 - Bao-Chau 06/02/2009 21:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.93 [GMT -6:00]
Running from: c:\documents and settings\Bao-Chau\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bao-Chau\Desktop\CFScript.txt.txt
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\documents and settings\Bao-Chau\Application Data\DNA"
"c:\program files\DNA"
"c:\windows\system32\532noz59-virusd.exe"
"c:\windows\system32\tempo-setup2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\532noz59-virusd.exe
c:\windows\system32\tempo-setup2.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-05-30 01:46 . 2009-05-30 01:46 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\InterVideo
2009-05-30 01:04 . 2009-06-03 00:42 -------- d-----w- C:\MGtools
2009-05-29 16:26 . 2009-05-29 16:26 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\Malwarebytes
2009-05-29 01:34 . 2009-05-29 01:35 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 03:28 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\BitTorrent
2009-06-03 01:18 . 2005-08-09 22:45 -------- d-----w- c:\program files\America Online 9.0
2009-06-02 02:33 . 2008-09-27 21:44 -------- d-----w- c:\program files\Trend Micro
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\program files\DNA
2009-06-02 02:13 . 2008-09-08 04:44 -------- d-----w- c:\documents and settings\Bao-Chau\Application Data\DNA
2009-04-06 12:47 . 2008-09-22 01:36 -------- d-----w- c:\program files\AVS4YOU
2009-04-02 22:00 . 2008-09-27 21:48 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 22:00 . 2008-09-27 21:48 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 22:00 . 2008-09-27 21:48 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-04-02 00:01 . 2009-04-02 00:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-04-01 21:16 . 2009-04-01 21:16 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-14 04:40 . 2008-09-22 01:39 55800 ----a-w- c:\documents and settings\Bao-Chau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-13 02:34 . 2009-03-13 02:34 503808 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcp71.dll
2009-03-13 02:34 . 2009-03-13 02:34 499712 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\jmc.dll
2009-03-13 02:34 . 2009-03-13 02:34 348160 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-3c35416a-n\msvcr71.dll
2009-03-13 02:24 . 2009-03-13 02:24 152576 ----a-w- c:\documents and settings\Bao-Chau\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 11:19 . 2008-12-04 04:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-08 02:12 . 2008-12-19 05:33 0 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-08-09 20:38 284160 ----a-w- c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-04-02 00:14 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-06 05:59 . 2008-09-07 04:08 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-15 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-08-01 1093632]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [9/27/2008 3:48 PM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 8:37 AM 36368]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/31/2005 6:08 PM 211200]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 8:37 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/27/2008 3:48 PM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [9/27/2008 3:48 PM 648456]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Bao-Chau\Application Data\Mozilla\Firefox\Profiles\rgvhgajh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/my_subscriptions
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 21:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-03 21:30
ComboFix-quarantined-files.txt 2009-06-03 03:30
ComboFix2.txt 2009-06-03 01:16

Pre-Run: 3,543,367,680 bytes free
Post-Run: 3,528,015,872 bytes free

149 --- E O F --- 2009-05-15 07:03

By the way, after this could you help with scanning an iPod. Said person said when they opened their iPod as a USB in MyComputer the virus automatically installed itself.

Thanks Origin.

PatTheBaker - We need to clean the iPod then, but read my instructions carefully, because when we plug it in, we need to have this next tool already open and running because it will disable the infection on the iPod.

Please download USBNoRisk to your Desktop and run it by double clicking the program's icon.

1. Wait a couple of seconds for initial scan to finish.
   
2. Connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
   
3. If there are more USB storage devices to scan, please take a note about the order in which these were connected.
   
4. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
   

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/3/2009 2:15:30 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {f7178da6-7c6b-11dd-86d3-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for f7178da6-7c6b-11dd-86d3-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\autorun.inf.vir
----------------------------------------
[autorun]
;tkwhbrmeqmsucxgfrxhazfdpiwhnpnadsnfwmbzcacussdngwierruzqkiycldpeqbxqkgainjnx
shellexecute="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com c:\"
;bophwpwedljgdhjwjgrcmjhgdxyojtrxqeyuxfxfd
shell\Open\command="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com c:\"
;rymhmdvswyxnwdguamozcdapdpripjxzcdhwstotykmazroxlmknzqgihnhwwtqxipwgdrekbprvmryiujzmpx
shell=Open
----------------------------------------
========================================
Initial scan finished!
========================================


New device connected at 6/3/2009 2:17:51 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {b3a518fa-9033-11dd-8715-00c09fda8693}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
autorun.inf found on F:
----------------------------------------
File F:\autorun.inf renamed successfully

Content of F:\autorun.inf.blocked
----------------------------------------
[autorun]
;iykaktyojqhzpgbowchprnrbccezpulrhqqhlsdtbigvbvgdfypqyncnagwbpnsqfxpalugxrlpvimvfyeuatohobrdbseobuckfhtzfa
shellexecute="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com f:\"
;znwqmsbpycckmwh
shell\Open\command="RECYCLER\S-1-3-54-100009281-100029388-100001899-7734.com f:\"
;avsqollqwxvyvxzsjtwelnsmtixyiuebyrmhjplqtssndkhejzuplspnkazjswqbgtaigtsxphszjmkzraygbuzjmyoaobyaaqzyxi
shell=Open
----------------------------------------

Files referenced from F:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Sanitized mountpoint for b3a518fa-9033-11dd-8715-00c09fda8693
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

Last edited by PatTheBaker on 3rd June 2009, 8:20 pm; edited 2 times in total (Reason for editing : Here's the Log)

Hello.
That's disabled the infection, now we need to remove it fully. Whatever drive F:\ is, make sure you keep it plugged in and do not unplug it until I say so, otherwise this won't work.

Please open USBNoRisk again, we need to use a custom script to delete the malicious autorun.inf files.

1. When USBNoRisk opens, go into the Script tab, and insert the bolded script below.
   
   {f7178da6-7c6b-11dd-86d3-806d6172696f}
   protect:
   {b3a518fa-9033-11dd-8715-00c09fda8693}
   delete: F:\autorun.inf.blocked
   protect:
   
   
   
2. Then press the Run Script button.
   
3. Copy and paste the report back here.
   

It gets a Not Responding when I run the script so I can't get a log.

Might be some other software conflicting. Lets try disabling Trend Micro.

See HERE for how to disable your AV. (Trend Micro)

No response still.

Fine, we'll delete it manually.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  F:\autorun.inf.blocked
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

USB No Risk moved the autorun file onto the desktop.

Weird.
Okay, delete it manually.

OK, I deleted.

This should be fine now. The iPod is clean now.

Thank you very much for helping again. Anything else left for the computer?

Nope, not that I can see.

OK, thanks.