WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Malware keeps coming back

Started by toddrob , Jan 24 2008 09:22 PM

This topic is locked

14 replies to this topic

#1 toddrob

New Member

New Member
7 posts

Posted 24 January 2008 - 09:22 PM

I have a Windows XP SP2 machine with some malware on it. Avast finds nothing. Adaware SE found a bunch of stuff, and let me remove it. However, it just comes right back. Symantec AV Corp found a few items and let me remove them; however, they came right back. I am seeing many yellow triangle icons with exclamation points in them in my system tray, with information bubbles that say various things like "your system is slow because of spyware," "your system is infected with spyware," etc. I am also getting popup windows with title "Windows Security Center system warning," warning me of spyware on my system with a link that says "Click here to visit Windows Security Center web site..." I did not click the link but the window is gray and red (Windows Security Center windows aren't red to my knowledge). My wallpaper automatically changes to a blue screen that says:

Warning: Spyware threat has been detected on your PC.

Your computer has several fatal errors due to spyware activity. 

It is strongly recommended to install an antispyware software to close all security vulnerabilities.

Antispyware software helps protect your PC against spyware and other security threats.

CLICK HERE TO SCAN YOUR PC FOR SPYWARE...

The link points to an antispywareupdates.net url that changes the IE address bar to say "about:security" and my Google searches are redirected to some anti spyware website with the URL cloaked to look like google search results.

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:26 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {4F45C552-9688-4af2-AA57-15089900E144} - C:\WINDOWS\system32\crypt32rt.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201228758593
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O20 - Winlogon Notify: msdtc32 - C:\WINDOWS\SYSTEM32\msdtc32.dll
O20 - Winlogon Notify: yayayvw - yayayvw.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 9920 bytes

Thank you in advance for your help!

Edited by toddrob, 24 January 2008 - 09:26 PM.

Advertisements

Register to Remove

#2 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 25 January 2008 - 10:03 AM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

You too could train to help others- Join the Classroom

#3 toddrob

New Member

New Member
7 posts

Posted 25 January 2008 - 10:09 AM

Requested uninstall list: Adobe Flash Player ActiveX Adobe Reader 7.0 AIM 6 ALPS Touch Pad Driver ArcSoft Software Suite avast! Antivirus CD/DVD Drive Acoustic Silencer DAEMON Tools DVD-RAM Driver High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows XP (KB893357) Hotfix for Windows XP (KB894871) Hotfix for Windows XP (KB895200) Hotfix for Windows XP (KB896256) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB926239) Hotfix for Windows XP (KB935448) Intel® Graphics Media Accelerator Driver Intel® PRO Network Connections Drivers Intel® PROSet/Wireless Software InterVideo WinDVD for TOSHIBA iPod for Windows 2005-06-26 iTunes J2SE Runtime Environment 5.0 Update 4 LiveUpdate 3.0 (Symantec Corporation) Macromedia Flash Player 8 mCore mDrWiFi Metamail (Toshiba Registration Utility) mHelp Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft .NET Framework 3.0 Microsoft .NET Framework 3.0 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 mIWA mLogView mMHouse mPfMgr mPfWiz mProSafe MSXML 4.0 SP2 (KB936181) MSXML 6.0 Parser mWlsSafe mXML mZConfig Office 2003 Trial Assistant QuickTime Realtek High Definition Audio Driver sat_screensaver_30mb SD Secure Module Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB939653) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB942615) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) SMSC IrCC V5.1.3600.5 SP2 Texas Instruments PCIxx21/x515/xx12 drivers. TOSHIBA Accessibility TOSHIBA Assist TOSHIBA ConfigFree TOSHIBA Controls TOSHIBA Fn-esse TOSHIBA Hardware Setup TOSHIBA Hotkey Utility TOSHIBA PC Diagnostic Tool TOSHIBA Power Saver TOSHIBA SD Memory Card Format TOSHIBA Software Modem TOSHIBA Software Upgrades TOSHIBA Speech System Applications TOSHIBA Speech System SR Engine(U.S.) Version1.0 TOSHIBA Speech System TTS Engine(U.S.) Version1.0 TOSHIBA Supervisor Password Toshiba Tbiosdrv Driver TOSHIBA Virtual Sound TOSHIBA Zooming Utility Touch and Launch TouchPad On/Off Utility Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB912945) Update for Windows XP (KB916595) Update for Windows XP (KB920342) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB925876) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB942840) Update for Windows XP (KB946627) Windows Communication Foundation Windows Imaging Component Windows Installer 3.1 (KB893803) Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows Presentation Foundation Windows Workflow Foundation Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB884018 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885855 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB889673 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781

#4 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 25 January 2008 - 10:24 AM

Hello

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

Save it to your Desktop.
Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

#5 toddrob

New Member

New Member
7 posts

Posted 25 January 2008 - 10:50 AM

It's probably worth mentioning that Avast re-enabled itself when ComboFix rebooted the system, so Avast was enabled while ComboFix was doing its thing after the reboot. Thank you for all the help so far! Here are the logs you requested:

ComboFix log:

ComboFix 08-01-23.1C - michele 2008-01-25 11:35:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.241 [GMT -8:00]
Running from: C:\Documents and Settings\michele\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 10:28 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-01-25 10:28 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-25 10:28 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-24 22:19 . 2008-01-24 22:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 21:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 21:19 . 2008-01-24 21:19 0 --a------ C:\WINDOWS\vpc32.INI
2008-01-24 20:38 . 2008-01-24 22:08 <DIR> d-------- C:\Program Files\Symantec
2008-01-24 20:38 . 2008-01-24 22:08 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-24 20:30 . 2008-01-24 20:30 <DIR> d-------- C:\Program Files\D-Tools
2008-01-24 20:30 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-01-24 20:30 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-01-24 19:42 . 2008-01-24 19:43 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-24 19:40 . 2008-01-24 19:40 <DIR> d-------- C:\Program Files\MSBuild
2008-01-24 19:36 . 2008-01-24 19:36 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-24 19:34 . 2008-01-24 19:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-24 19:33 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-24 19:27 . 2008-01-24 19:27 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-24 19:27 . 2006-10-04 06:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-24 19:27 . 2006-10-04 06:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-24 19:27 . 2006-10-04 06:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-24 19:26 . 2008-01-24 19:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-24 19:21 . 2008-01-24 19:21 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-24 19:21 . 2008-01-24 19:23 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-24 18:52 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-24 18:52 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-24 18:52 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-24 14:22 . 2008-01-24 14:22 89,617 --a------ C:\WINDOWS\wrslwrmz.exe
2008-01-24 14:22 . 2008-01-24 14:22 89,617 --a------ C:\WINDOWS\system32\rxjddnvj.exe
2008-01-22 17:06 . 2008-01-22 17:06 <DIR> d-------- C:\WINDOWS\hptjpqam
2008-01-22 17:06 . 2008-01-22 17:06 193,536 --a------ C:\WINDOWS\wpmzqjmz.dll
2008-01-22 17:06 . 2008-01-22 17:06 45,568 --a------ C:\WINDOWS\nglofura.exe
2008-01-22 17:06 . 2008-01-22 17:06 4,608 --a------ C:\TEay.exe
2008-01-19 02:31 . 2008-01-22 22:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 02:31 . 2008-01-19 02:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 00:09 . 2008-01-22 17:05 30,720 --a------ C:\info.exe
2008-01-18 00:09 . 2008-01-18 00:09 5,632 --a------ C:\WINDOWS\system32\msdtc32.dll
2008-01-18 00:09 . 2008-01-19 10:55 56 --a------ C:\mscrypt.bat
2007-12-31 22:10 . 2008-01-16 16:14 <DIR> d-------- C:\Program Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 06:16 --------- d-----w C:\Program Files\Common Files\Real
2007-12-17 02:21 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-24_21.46.27.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-25 19:39:05 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F45C552-9688-4af2-AA57-15089900E144}]
C:\WINDOWS\system32\crypt32rt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 13:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 13:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 13:55 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 13:45 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 13:45 65536]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 12:25 73728]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 11:13 671744]
"TPSMain"="TPSMain.exe" [2005-05-31 17:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 10:52 1077322]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 09:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 16:13 122880]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 16:28 53248]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 14:50 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-12-27 17:34 73728 C:\WINDOWS\system32\TDispVol.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 17:37 151552]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-06-24 14:16 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-03 14:54 98304]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-29 11:42:17 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]
msdtc32.dll 2008-01-18 00:09 5632 C:\WINDOWS\system32\msdtc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayayvw]
yayayvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareAlert]
C:\Program Files\AdwareAlert\AdwareAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drmsrv32]
--a------ 2008-01-22 17:05 30720 C:\info.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ynadircd]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\ynadircd.dll

R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys [2005-12-01 10:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 02:30:42 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 11:39:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2008-01-25 11:42:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 19:41:40
ComboFix2.txt 2008-01-25 05:58:18
ComboFix3.txt 2008-01-25 05:46:58
.
2008-01-25 03:56:47 --- E O F ---

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:31 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4F45C552-9688-4af2-AA57-15089900E144} - C:\WINDOWS\system32\crypt32rt.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201228758593
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O20 - Winlogon Notify: msdtc32 - C:\WINDOWS\SYSTEM32\msdtc32.dll
O20 - Winlogon Notify: yayayvw - yayayvw.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 8119 bytes

#6 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 25 January 2008 - 05:42 PM

Hi

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
Ill be back tommorrow, UK time. :thumbup:

You too could train to help others- Join the Classroom

#7 toddrob

New Member

New Member
7 posts

Posted 25 January 2008 - 08:22 PM

Here's the CF-RC log: WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons Thank you so much for your help so far!

#8 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 26 January 2008 - 05:55 AM

Hi

Remember to disconnect from the Internet and disable your anti-virus before carrying out the next instruction, and to reenable the anti-virus before reconnecting to the Internet

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
C:\WINDOWS\vpc32.INI 
C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\wrslwrmz.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\wpmzqjmz.dll
C:\WINDOWS\nglofura.exe
C:\TEay.exe
C:\info.exe
C:\WINDOWS\system32\msdtc32.dll
C:\mscrypt.bat
C:\Documents and Settings\All Users\Application Data\ynadircd.dll
 
Folder::
C:\WINDOWS\hptjpqam
C:\Program Files\QdrModule

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F45C552-9688-4af2-AA57-15089900E144}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msdtc32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayayvw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drmsrv32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ynadircd]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run

You too could train to help others- Join the Classroom

#9 toddrob

New Member

New Member
7 posts

Posted 26 January 2008 - 11:20 AM

Please note that I installed LogMeIn because the computer had to go home with its user.

ComboFix log:

ComboFix 08-01-23.1C - michele 2008-01-26 12:12:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.98 [GMT -8:00]
Running from: C:\Documents and Settings\michele\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\michele\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\Application Data\ynadircd.dll
C:\info.exe
C:\mscrypt.bat
C:\TEay.exe
C:\WINDOWS\nglofura.exe
C:\WINDOWS\system32\msdtc32.dll
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\vpc32.INI
C:\WINDOWS\wpmzqjmz.dll
C:\WINDOWS\wrslwrmz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
C:\mscrypt.bat
C:\TEay.exe
C:\WINDOWS\hptjpqam
C:\WINDOWS\hptjpqam\1.png
C:\WINDOWS\hptjpqam\2.png
C:\WINDOWS\hptjpqam\3.png
C:\WINDOWS\hptjpqam\4.png
C:\WINDOWS\hptjpqam\5.png
C:\WINDOWS\hptjpqam\6.png
C:\WINDOWS\hptjpqam\7.png
C:\WINDOWS\hptjpqam\8.png
C:\WINDOWS\hptjpqam\9.png
C:\WINDOWS\hptjpqam\bottom-rc.gif
C:\WINDOWS\hptjpqam\config.png
C:\WINDOWS\hptjpqam\content.png
C:\WINDOWS\hptjpqam\download.gif
C:\WINDOWS\hptjpqam\frame-bg.gif
C:\WINDOWS\hptjpqam\frame-bottom-left.gif
C:\WINDOWS\hptjpqam\frame-h1bg.gif
C:\WINDOWS\hptjpqam\head.png
C:\WINDOWS\hptjpqam\icon.png
C:\WINDOWS\hptjpqam\indexwp.html
C:\WINDOWS\hptjpqam\main.css
C:\WINDOWS\hptjpqam\memory-prots.png
C:\WINDOWS\hptjpqam\net.png
C:\WINDOWS\hptjpqam\pc-mag.gif
C:\WINDOWS\hptjpqam\pc.gif
C:\WINDOWS\hptjpqam\poloska1.png
C:\WINDOWS\hptjpqam\poloska2.png
C:\WINDOWS\hptjpqam\poloska3.png
C:\WINDOWS\hptjpqam\promowp1.html
C:\WINDOWS\hptjpqam\promowp2.html
C:\WINDOWS\hptjpqam\promowp3.html
C:\WINDOWS\hptjpqam\promowp4.html
C:\WINDOWS\hptjpqam\promowp5.html
C:\WINDOWS\hptjpqam\reg.png
C:\WINDOWS\hptjpqam\repair.png
C:\WINDOWS\hptjpqam\scr-1.png
C:\WINDOWS\hptjpqam\scr-2.png
C:\WINDOWS\hptjpqam\start.png
C:\WINDOWS\hptjpqam\styles.css
C:\WINDOWS\hptjpqam\Thumbs.db
C:\WINDOWS\hptjpqam\top-rc.gif
C:\WINDOWS\hptjpqam\vline.gif
C:\WINDOWS\hptjpqam\wp.png
C:\WINDOWS\nglofura.exe
C:\WINDOWS\system32\msdtc32.dll
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\vpc32.INI
C:\WINDOWS\wpmzqjmz.dll
C:\WINDOWS\wrslwrmz.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-26 03:03 . 2008-01-26 03:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-26 03:00 . 2008-01-26 03:00 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-25 21:19 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-25 21:19 . 2008-01-24 21:30 211 --a------ C:\Boot.bak
2008-01-25 16:34 . 2008-01-26 11:37 <DIR> d-------- C:\Program Files\LogMeIn
2008-01-25 16:34 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2008-01-25 16:34 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-01-25 16:34 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-01-25 16:34 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-01-25 16:34 . 2008-01-25 16:34 1,024 --a------ C:\.rnd
2008-01-25 10:28 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-25 10:28 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-24 22:19 . 2008-01-24 22:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 21:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 20:38 . 2008-01-24 22:08 <DIR> d-------- C:\Program Files\Symantec
2008-01-24 20:38 . 2008-01-24 22:08 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-24 20:30 . 2008-01-24 20:30 <DIR> d-------- C:\Program Files\D-Tools
2008-01-24 20:30 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-01-24 20:30 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-01-24 19:42 . 2008-01-24 19:43 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-24 19:40 . 2008-01-24 19:40 <DIR> d-------- C:\Program Files\MSBuild
2008-01-24 19:36 . 2008-01-24 19:36 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-24 19:34 . 2008-01-24 19:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-24 19:27 . 2008-01-24 19:27 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-24 19:27 . 2006-10-04 06:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-24 19:27 . 2006-10-04 06:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-24 19:27 . 2006-10-04 06:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-24 19:26 . 2008-01-24 19:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-24 19:21 . 2008-01-24 19:21 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-24 19:21 . 2008-01-24 19:23 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-24 18:52 . 2006-11-12 22:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-24 18:52 . 2006-11-12 22:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-24 18:52 . 2006-11-12 22:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-19 02:31 . 2008-01-22 22:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 02:31 . 2008-01-19 02:31 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-31 22:10 . 2008-01-16 16:14 <DIR> d-------- C:\Program Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 06:16 --------- d-----w C:\Program Files\Common Files\Real
2007-12-17 02:21 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-24_21.46.27.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-04 10:40:05 72,704 ----a-w C:\WINDOWS\$hf_mig$\KB925720\SP2QFE\magnify.exe
+ 2006-10-04 10:40:06 53,760 ----a-w C:\WINDOWS\$hf_mig$\KB925720\SP2QFE\narrator.exe
+ 2006-10-04 10:40:06 215,552 ----a-w C:\WINDOWS\$hf_mig$\KB925720\SP2QFE\osk.exe
+ 2006-10-04 14:05:57 35,840 ----a-w C:\WINDOWS\$hf_mig$\KB925720\SP2QFE\umandlg.dll
+ 2006-10-04 10:40:06 50,176 ----a-w C:\WINDOWS\$hf_mig$\KB925720\SP2QFE\utilman.exe
+ 2005-10-12 23:16:49 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB925720\spmsg.dll
+ 2005-10-12 23:16:49 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB925720\spuninst.exe
+ 2005-10-12 23:16:49 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB925720\update\spcustom.dll
+ 2005-10-12 23:16:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925720\update\update.exe
+ 2005-10-12 23:16:56 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB925720\update\updspapi.dll
+ 2007-08-09 20:08:02 71,248 ----a-w C:\WINDOWS\Downloaded Program Files\LMIProxyHelper.exe
+ 2008-01-17 21:18:26 2,745,672 ----a-w C:\WINDOWS\Downloaded Program Files\RACtrl.dll
- 2008-01-25 05:43:26 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 20:12:09 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 05:43:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 20:12:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 05:43:27 2,363,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 20:12:09 2,363,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-25 05:43:27 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 20:12:09 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-25 05:43:27 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-26 20:12:09 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-25 05:43:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 20:12:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 20:12:09 933,888 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\NTUSER.DAT
+ 2008-01-26 20:12:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat
- 2006-11-02 02:31:34 315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-06-27 06:10:26 317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
- 2008-01-25 03:42:41 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-01-26 11:01:48 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-01-25 03:42:42 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-01-26 11:01:48 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-01-25 03:42:42 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-01-26 11:01:48 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-01-25 03:42:41 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-01-26 11:01:48 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-01-25 03:42:42 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-01-26 11:01:48 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-01-25 03:42:42 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-01-26 11:01:48 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-01-25 03:42:42 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-01-26 11:01:48 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-01-25 03:42:42 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-01-26 11:01:48 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-01-25 03:42:41 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-01-26 11:01:48 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-01-25 03:42:41 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-01-26 11:01:48 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-01-25 03:42:42 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-01-26 11:01:49 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-01-25 03:42:41 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-01-26 11:01:48 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-01-25 03:42:41 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-01-26 11:01:48 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-10-04 08:48:36 72,704 -c----w C:\WINDOWS\system32\dllcache\magnify.exe
- 2006-10-19 05:47:16 414,208 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-12-05 00:21:50 414,720 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-10-04 08:48:36 53,760 -c----w C:\WINDOWS\system32\dllcache\narrator.exe
+ 2006-10-04 08:48:37 215,552 -c----w C:\WINDOWS\system32\dllcache\osk.exe
+ 2006-10-04 13:33:38 35,840 -c----w C:\WINDOWS\system32\dllcache\umandlg.dll
- 2006-11-02 02:31:34 315,904 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-06-27 06:10:26 317,440 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2006-10-04 08:48:37 50,176 -c----w C:\WINDOWS\system32\dllcache\utilman.exe
- 2006-10-19 05:47:20 10,834,432 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-06-12 07:51:12 10,834,944 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-08-03 23:04:52 10,144 ----a-w C:\WINDOWS\system32\drivers\lmimirr.sys
+ 2007-11-16 02:46:22 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
+ 2007-11-16 02:46:24 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
- 2004-08-04 12:00:00 72,704 ----a-w C:\WINDOWS\system32\magnify.exe
+ 2006-10-04 08:48:36 72,704 ----a-w C:\WINDOWS\system32\magnify.exe
- 2006-10-19 05:47:16 414,208 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2006-12-05 00:21:50 414,720 ----a-w C:\WINDOWS\system32\msscp.dll
- 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2007-05-15 23:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
- 2004-08-04 12:00:00 53,760 ----a-w C:\WINDOWS\system32\narrator.exe
+ 2006-10-04 08:48:36 53,760 ----a-w C:\WINDOWS\system32\narrator.exe
- 2004-08-04 12:00:00 215,552 ----a-w C:\WINDOWS\system32\osk.exe
+ 2006-10-04 08:48:37 215,552 ----a-w C:\WINDOWS\system32\osk.exe
+ 2007-08-09 20:08:04 8,784 ----a-w C:\WINDOWS\system32\ractrlkeyhook.dll
+ 2007-11-16 02:46:26 15,160 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LMIprinter.dll
+ 2007-11-16 02:46:30 16,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LMIprinterdat.dll
+ 2007-11-16 02:46:30 16,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LMIprinterui.dll
+ 2007-11-16 02:46:26 15,160 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\LMIprinter.dll
+ 2007-11-16 02:46:30 16,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\LMIprinterdat.dll
+ 2007-11-16 02:46:30 16,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\LMIprinterui.dll
+ 2007-11-16 02:46:32 28,472 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
- 2004-08-04 12:00:00 35,840 ----a-w C:\WINDOWS\system32\umandlg.dll
+ 2006-10-04 13:33:38 35,840 ----a-w C:\WINDOWS\system32\umandlg.dll
- 2004-08-04 12:00:00 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
+ 2006-10-04 08:48:37 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
- 2006-10-19 05:47:20 10,834,432 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-06-12 07:51:12 10,834,944 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2008-01-26 20:15:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_d4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 13:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 13:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 13:55 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 22:40 196608]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 13:45 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 13:45 65536]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 12:25 73728]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 11:13 671744]
"TPSMain"="TPSMain.exe" [2005-05-31 17:16 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 10:52 1077322]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 09:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 16:13 122880]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-13 16:28 53248]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 14:50 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-12-27 17:34 73728 C:\WINDOWS\system32\TDispVol.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 17:37 151552]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-06-24 14:16 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-03 14:54 98304]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-29 11:42:17 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareAlert]
C:\Program Files\AdwareAlert\AdwareAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys [2005-12-01 10:55]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 11:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 12:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
.
Completion time: 2008-01-26 12:18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-26 20:18:17
ComboFix2.txt 2008-01-25 19:42:28
ComboFix3.txt 2008-01-25 05:58:18
ComboFix4.txt 2008-01-25 05:46:58
.
2008-01-26 11:03:03 --- E O F ---

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:50 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-21-1350571271-1708280084-14072283-1007\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-1350571271-1708280084-14072283-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LogMeInRemoteUser')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201228758593
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 8754 bytes

Edited by toddrob, 26 January 2008 - 11:22 AM.

#10 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 26 January 2008 - 11:29 AM

Good evening

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  
  + Extended(If available otherwise Standard)
- Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post with a new HijackThis log.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.

You too could train to help others- Join the Classroom

#11 toddrob

New Member

New Member
7 posts

Posted 26 January 2008 - 01:10 PM

<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Saturday, January 26, 2008 2:07:05 PM<br>
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)<br>
Kaspersky Online Scanner version: 5.0.98.0<br>
Kaspersky Anti-Virus database last update: 26/01/2008<br>
Kaspersky Anti-Virus database records: 533507<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
C:\<br>
D:\<br>
E:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>52930</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>4</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>13</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>00:39:31</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\michele\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\michele\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\michele\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\michele\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\michele\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\michele\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\michele\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\TEay.exe.vir </td>
<td>Infected: Trojan-Downloader.Win32.Small.hnw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/stream/data0001 </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.vv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/stream </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.vv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir </td>
<td>NSIS: infected - 2 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\msdtc32.dll.vir </td>
<td>Infected: Trojan-Downloader.Win32.Small.hoa </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\MountPointManagerRemoteDatabase </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP100\A0007454.exe/stream/data0001 </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.vv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP100\A0007454.exe/stream </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.vv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP100\A0007454.exe </td>
<td>NSIS: infected - 2 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP106\A0008132.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.hnw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP106\A0008134.dll </td>
<td>Infected: Trojan-Downloader.Win32.Small.hoa </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP106\change.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP90\A0006709.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.vv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP96\A0007309.dll </td>
<td>Infected: Trojan.Win32.BHO.aqo </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP96\A0007325.dll </td>
<td>Infected: Trojan.Win32.BHO.aqo </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Debug\PASSWD.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SchedLgU.Txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\ReportingEvents.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Sti_Trace.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\edb.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\tmp.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\Antivirus.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\AppEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SecEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SysEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\h323log.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Temp\Perflib_Perfdata_d4.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Temp\_avast4_\Webshlock.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiadebug.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiaservc.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\WindowsUpdate.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='3' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:10 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-21-1350571271-1708280084-14072283-1007\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-1350571271-1708280084-14072283-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LogMeInRemoteUser')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201228758593
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 8799 bytes

#12 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 26 January 2008 - 02:37 PM

Hi

Congratulations, you appear to be malware free.

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

You may wish to keep hold of the Kaspersky Online Scan as an extra on-demand virus-scanner.
If not you can uninstall it through Start>Control Panel>Add/Remove Programs

Here are two free programs I recommend.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

You too could train to help others- Join the Classroom

#13 toddrob

New Member

New Member
7 posts

Posted 26 January 2008 - 02:42 PM

Thank you very much for all of your help, Scotty. I have read your last post, and I will install the suggested applications. Thank you so much!! EDIT: Nevermind, I noticed that all of the infections were either in Quarantine or a resore directory.

Edited by toddrob, 26 January 2008 - 02:43 PM.

#14 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 26 January 2008 - 03:16 PM

Hi Running the Combofix uninstaller removed the Quarantine folder, rehides hidden files and wipes the restore points creating a clean one. I will close this now, and good luck. :thumbup:

You too could train to help others- Join the Classroom

#15 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 26 January 2008 - 03:16 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

You too could train to help others- Join the Classroom

Body Background

skin color theme