WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

i messed up pretty good.

Started by ranger2502 , Jan 06 2006 07:42 PM

This topic is locked

6 replies to this topic

#1 ranger2502

New Member

New Member
3 posts

Posted 06 January 2006 - 07:42 PM

My father told me that you guys are great at solving these type of problems. I keep gettting a message that my computer is infected. I have already run spybot and i have adware and adwatch running.

Here is the log. Please help me??????

Logfile of HijackThis v1.99.1
Scan saved at 8:12:35 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winstall.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\msgr32.exe
C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {1393F29F-3AD1-88F1-8182-7EBCC2149DC1} - C:\WINDOWS\mswr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Class - {677FA3DE-B011-FFA7-A440-87572E2E5E35} - C:\WINDOWS\system32\netll.dll
O2 - BHO: Class - {C411A256-DC8B-9D84-0C38-5F2589813988} - C:\WINDOWS\atlsw.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134336848166
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134336838573
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msgr32.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Thanks in advance for all your help

SPC E4 Ranger

Advertisements

Register to Remove

#2 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 06 January 2006 - 11:14 PM

The Fix:

Step#1:Getting Ready

(the reason Wordpad was chosen is that Notepad is sometimes deleted by this variant)

Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix

Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection with FireFox. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.

Step#2:Show All Hidden Files Very Important

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip

Step#3:Download CWShredder Do Not Use Yet

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet

Step#4:Download About Buster Do Not Use Yet

1. Please download About:Buster from here: http://www.malwareby...AboutBuster.zip

2. Once it is downloaded extract it to c:\aboutbuster.

Step#5:Download Registrar Lite Do Not Use Yet

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use. Caution should be exercised when editing the registry as it is very easy to render a Computer unbootable by deleting the wrong key

Step#6:Download Ewido Security Suite Only For Windows 2000 and XP Do Not Use Yet

Download and install Ewido security suite
Right Click on the “E” icon in your taskbar and open Ewido Security Suite then click “update” to get the most recent definitions for it to use.
When it prompts you to update, click the OK button.
download the updates and when they are finished installing, close the window
Please Do Not Use It Yet

Step#6:Download A Registry File to Remove Registry Entries Do Not Use Yet

Please download the following zip file to your desktop:
HSfix
Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix
Do Not Use It Yet

Please disconnect from the Internet

Step#7:Disable The Bad Service ** Very Important!!**

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
Click on start > control panel > administrative programs > services. Look for a service called Network Security Service . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step#8:Stop The Running Processes

Press control-alt-delete to get into the task manager and end the following processes if they exist:

msgr32.exe
winstall.exe

Step#9:Use HijackThis to Delete About Blank Bad Files

I now need you to delete the following files:

C:\WINDOWS\mswr.dll
C:\WINDOWS\system32\netll.dll
C:\WINDOWS\atlsw.dll
C:\winstall.exe
C:\WINDOWS\msgr32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step#10:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {1393F29F-3AD1-88F1-8182-7EBCC2149DC1} - C:\WINDOWS\mswr.dll
O2 - BHO: Class - {677FA3DE-B011-FFA7-A440-87572E2E5E35} - C:\WINDOWS\system32\netll.dll
O2 - BHO: Class - {C411A256-DC8B-9D84-0C38-5F2589813988} - C:\WINDOWS\atlsw.dll

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msgr32.exe

click "fix checked"

Step#11: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

Step#12: Use the HSfix.reg file

Navigate to the HSfix folder on your Desktop
Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it

Step#13:Fixing With CWShredder

CLOSE ALL WINDOWS except CWShredder
Run the program by clicking 'fix' and letting it fix all CWS remnants.

Step#14:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory
double-click on aboutbuster.exe
When the tool opens press the OK button, then Start button, then the OK button
then finally the Yes button. It will start scanning your computer for files.
If it asks if you would like to do a second pass, allow it to do so.
Post the log file in your next reply

Step#15:Scan With Ewido Security Suite

Launch Ewido again
Click on Scanner>Complete System Scan.
Let the program scan your PC.
When the scan asks to clean files click OK.
When scan is completed, click Save report. to your desktop.
Post the report in your next reply.

Reboot your computer back to normal mode and

Reconnect To The Internet

Step#16:Scan and Post a New HJT log with other logs

Scan again with HijackThis.
Post your logs from HijackThis, About Buster, and Ewido Security Suite here in this thread with any questions or problems that you have run into.
There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

#3 ranger2502

New Member

New Member
3 posts

Posted 07 January 2006 - 08:23 PM

That was sure a long road to hoe.. I'm amased you guys know all this stuff. Here are the logs that you requested.

Logfile of HijackThis v1.99.1
Scan saved at 9:13:26 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134336848166
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134336838573
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

AboutBuster 6.0
Scan started on [1/7/2006] at [6:52:09 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:kzgvoh
Removed Stream! C:\WINDOWS\DtcInstall.log:pizjti
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:ijswns
Removed Stream! C:\WINDOWS\imsins.BAK:ajkbpd
Removed Stream! C:\WINDOWS\KB826942.log:rthxro
Removed Stream! C:\WINDOWS\KB905749.log:xhpdrf
Removed Stream! C:\WINDOWS\msdfmap.ini:ybxpym
Removed Stream! C:\WINDOWS\OEWABLog.txt:gtjily
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:rmcnfi
Removed Stream! C:\WINDOWS\q329623.log:fwexl
Removed Stream! C:\WINDOWS\Q810583.log:boffbv
Removed Stream! C:\WINDOWS\Q817472.log:qyhqi
Removed Stream! C:\WINDOWS\Q817472.log:uoyldg
Removed Stream! C:\WINDOWS\REGLOCS.OLD:nwsqsl
Removed Stream! C:\WINDOWS\regopt.log:aztbee
Removed Stream! C:\WINDOWS\setuplog.txt:izgtlt
Removed Stream! C:\WINDOWS\spupdsvc.log:tazyfv
Removed Stream! C:\WINDOWS\spupdsvc.log:tntgai
Removed Stream! C:\WINDOWS\stub13.ini:lsxoqd
Removed Stream! C:\WINDOWS\stub19.ini:tabqvh
Removed Stream! C:\WINDOWS\stub25.ini:yvmajd
Removed Stream! C:\WINDOWS\stub43.ini:fsdoyx
Removed Stream! C:\WINDOWS\stub51.ini:ncxlta
Removed Stream! C:\WINDOWS\stub55.ini:bqmpk
Removed Stream! C:\WINDOWS\stub56.ini:yaculc
Removed Stream! C:\WINDOWS\stub57.ini:mvjug
Removed Stream! C:\WINDOWS\stub57.ini:uemuga
Removed Stream! C:\WINDOWS\stub60.ini:nffzjk
Removed Stream! C:\WINDOWS\stub60.ini:qesjrx
Removed Stream! C:\WINDOWS\stub61.ini:btffhp
Removed Stream! C:\WINDOWS\stub62.ini:frctkg
Removed Stream! C:\WINDOWS\stub69.ini:qsfdhb
Removed Stream! C:\WINDOWS\stub77.ini:pxevuh
Removed Stream! C:\WINDOWS\swupdate.INI:mgelul
Removed Stream! C:\WINDOWS\WindowsUpdate.log:gukwuy
Removed Stream! C:\WINDOWS\zdlli.log:rbsoox
Removed Stream! C:\WINDOWS\zdlli.log:tobnjq
Removed Stream! C:\WINDOWS\_default.pif:lhmada
-------------------------------------------------------------
Removed File! : C:\WINDOWS\addas32.exe
Removed File! : C:\WINDOWS\addhj.exe
Removed File! : C:\WINDOWS\addul.exe
Removed File! : C:\WINDOWS\apicy32.exe
Removed File! : C:\WINDOWS\apihl.exe
Removed File! : C:\WINDOWS\apijs.exe
Removed File! : C:\WINDOWS\apiwq32.exe
Removed File! : C:\WINDOWS\appmg32.exe
Removed File! : C:\WINDOWS\atlkf.exe
Removed File! : C:\WINDOWS\atlxp32.exe
Removed File! : C:\WINDOWS\atlyt32.exe
Removed File! : C:\WINDOWS\crgm.exe
Removed File! : C:\WINDOWS\crgp32.exe
Removed File! : C:\WINDOWS\crom.exe
Removed File! : C:\WINDOWS\d3af.exe
Removed File! : C:\WINDOWS\d3mo.exe
Removed File! : C:\WINDOWS\d3xw32.exe
Removed File! : C:\WINDOWS\iagrt.txt
Removed File! : C:\WINDOWS\iekq32.exe
Removed File! : C:\WINDOWS\iesn32.exe
Removed File! : C:\WINDOWS\ipwr32.exe
Removed File! : C:\WINDOWS\javazg32.exe
Removed File! : C:\WINDOWS\javazs.exe
Removed File! : C:\WINDOWS\jldpv.dll
Removed File! : C:\WINDOWS\mfcbb.exe
Removed File! : C:\WINDOWS\mfchs32.exe
Removed File! : C:\WINDOWS\mfcmo.exe
Removed File! : C:\WINDOWS\mfczz.exe
Removed File! : C:\WINDOWS\msxg.exe
Removed File! : C:\WINDOWS\msxu.exe
Removed File! : C:\WINDOWS\netxz.exe
Removed File! : C:\WINDOWS\ntcl32.dll
Removed File! : C:\WINDOWS\ntdb.exe
Removed File! : C:\WINDOWS\ntoj.exe
Removed File! : C:\WINDOWS\ntqx32.exe
Removed File! : C:\WINDOWS\nykbu.txt
Removed File! : C:\WINDOWS\otctf.dat
Removed File! : C:\WINDOWS\rbblp.dat
Removed File! : C:\WINDOWS\sdkhm32.exe
Removed File! : C:\WINDOWS\sdkic.exe
Removed File! : C:\WINDOWS\sdkvo32.exe
Removed File! : C:\WINDOWS\syset.exe
Removed File! : C:\WINDOWS\systm32.exe
Removed File! : C:\WINDOWS\uyvlc.dll
Removed File! : C:\WINDOWS\winsc.exe
Removed File! : C:\WINDOWS\winwc32.exe
Removed File! : C:\WINDOWS\winyd32.exe
Removed File! : C:\WINDOWS\zdlli.log
Removed File! : C:\WINDOWS\system32\addkk.exe
Removed File! : C:\WINDOWS\system32\addtb.exe
Removed File! : C:\WINDOWS\system32\apial32.exe
Removed File! : C:\WINDOWS\system32\apifz32.exe
Removed File! : C:\WINDOWS\system32\apigb32.exe
Removed File! : C:\WINDOWS\system32\apirm32.exe
Removed File! : C:\WINDOWS\system32\appqu.exe
Removed File! : C:\WINDOWS\system32\atlaz.exe
Removed File! : C:\WINDOWS\system32\atlwv32.exe
Removed File! : C:\WINDOWS\system32\cdeel.txt
Removed File! : C:\WINDOWS\system32\d3bx.exe
Removed File! : C:\WINDOWS\system32\ipcq32.dll
Removed File! : C:\WINDOWS\system32\ipfq32.exe
Removed File! : C:\WINDOWS\system32\ipxc.exe
Removed File! : C:\WINDOWS\system32\javatk32.exe
Removed File! : C:\WINDOWS\system32\kzgvo.dat
Removed File! : C:\WINDOWS\system32\mbbxy.dll
Removed File! : C:\WINDOWS\system32\mfcgu.exe
Removed File! : C:\WINDOWS\system32\mswl32.exe
Removed File! : C:\WINDOWS\system32\neqpi.txt
Removed File! : C:\WINDOWS\system32\netzw32.exe
Removed File! : C:\WINDOWS\system32\ntqn.exe
Removed File! : C:\WINDOWS\system32\sysdr32.exe
Removed File! : C:\WINDOWS\system32\sysjd32.exe
Removed File! : C:\WINDOWS\system32\sysry.exe
Removed File! : C:\WINDOWS\system32\sysva32.exe
Removed File! : C:\WINDOWS\system32\winym.exe
Removed File! : C:\WINDOWS\system32\zuneb.log
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:57:01 PM

AboutBuster 6.0
Scan started on [1/7/2006] at [6:58:30 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:01:11 PM

AboutBuster 6.0
Scan started on [1/7/2006] at [9:04:40 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:06:27 PM

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:43:12 PM, 1/7/2006
+ Report-Checksum: 86A7E301

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4095AAF5-BAD2-A97D-D64C-566A52E35C2E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96EEA21B-4AA3-4627-EA0A-176241DBD1A4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DCF499B3-5BE2-6F3F-B6C8-FB0597F0FF79} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.286:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.289:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.305:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.307:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.308:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.310:C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\l9og732a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@bzresults.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@data4.perf.overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@stats.adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temp\2A1.tmp -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temp\2A4.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temp\2A4.tmp.exe -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temp\7.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temp\8.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\CDY34TQ5\start[1].exe -> Downloader.WinShow.bi : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\W983LPE0\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\YPBO5SVE\m00[1].exe -> Dropper.QuickBatch.c : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\Weblookup\weblookup.dll -> Adware.BHO : Cleaned with backup
C:\RECYCLER\S-1-5-21-860362547-3126839212-537746678-1006\Dc34.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\S-1-5-21-860362547-3126839212-537746678-500\Dc1.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-860362547-3126839212-537746678-500\Dc2.dll -> Downloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-860362547-3126839212-537746678-500\Dc3.dll -> Downloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-860362547-3126839212-537746678-500\Dc4.dll -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\m00.exe -> Dropper.QuickBatch.c : Cleaned with backup

::Report End

#4 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 08 January 2006 - 09:18 AM

Good Job

looks like we got the worst of it.

Step#1:Restore Deleted System Files

Now we need to see if we need to restore some deleted files:Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll

If any are missing or not working properly then you can download new copies from
Merijn's Files and following the instructions at that site to have them where they belong for your OS.

If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32
Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one in Windows (WINNT) and one in Windows\System32. It does not delete the one in Windows\System so it does not affect Win9x/ME. If you find it missing, please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .
The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and it is the correct size. If not Please check for the existence of this file by going to to Merijn's Files (sdhelper) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to the information at this website. The control.exe is more often deleted in Win9x/ME.
If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

Step#2:Download CCleaner

Download Ccleaner to clean temp files from your computer.
Double click on Ccleaner to install the program, with its default settings, selecting language and agreeing to the license agreement.
Double click the CCleaner shortcut on the desktop to start the program.
Click Options > Advanced and uncheck "Only delete files in Windows Temp folders older than 48 hours".

Step#3:Complete An Online AntiVirus Scan

Run an online antivirus scan at:

Trend Micro-Housecall Online AV

Reboot

Step#4:Find the Infected Files On Your Hard Drive
[list]
Navigate to C:\Windows
look for files that were created at the approximate time and date as the infection occurred.
look for those that end in exe, DAT and DLL and if found, right click on the file and check properties. Legitimate files should be copyrighted by Microsoft
if you determine they are bad files, right click on them and choose delete
Navigate to C:\Windows\System or C:\Windows\System32 (depending on the OS) and repeat each of the above steps to check for those ending in exe, DAT and/or DLL
if the above files will not delete, then make a new folder on your desktop by right clicking on the desktop and choosing New > Folder. Name the folder CWS Files.
Move the files from C:\Windows or C:\Windows\System or C:\Windows\system32
to the new folder CWS Files.

Step#5:Using your Windows CD to replace System Files

** In cases where many system files are missing you have no alternative but to have them insert their Windows OS disk and run sfc /scannow from the Run box if able or from Recovery Console if not able to get into windows[/b]

Step#6:Scan And Post a New HijackThis Log

1. Scan again with HijackThis

2. POST your log file using Add Reply to see what is left to fix.

#5 ranger2502

New Member

New Member
3 posts

Posted 08 January 2006 - 06:38 PM

Thanks for all your help. I've learned a lot about the troubles that can attack my system if I'm not protected correctly. Here is the hijackthis log, hopefully the last one. None of the files that you listed as being possibly deleted, were deleted.

Logfile of HijackThis v1.99.1
Scan saved at 7:34:27 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134336848166
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134336838573
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

#6 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 08 January 2006 - 07:19 PM

Looks good

How is it running?

#7 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 18 January 2006 - 10:17 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Body Background

skin color theme