Now My Laptop Is Infected

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Now My Laptop Is Infected

Options

deroock View Member Profile	Jul 24 2007, 10:06 PM Post #1
Member Group: Members Posts: 44 Joined: 29-April 07 Member No.: 127,850	You guys are currently helping clean up my desktop, and now my laptop is in pop-up hell. It started with the Mirar popup blocker self installing. Here's my hijackthis log. Thanks again. Logfile of HijackThis v1.99.1 Scan saved at 8:01:36 PM, on 7/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\WINDOWS\pqehenu.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\iTunes\iTunesHelper.exe C:\DOCUME~1\Ianito\LOCALS~1\Temp\MBDownloader_876919.exe C:\WINDOWS\pqehenuA.exe C:\WINDOWS\retadpu1000106.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\PPATCH~1\logonui.exe C:\WINDOWS\?ymantec\svchost.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe c:\windows\system32\msdsregl.exe C:\WINDOWS\system32\rwintndt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\Ianito\LOCALS~1\Temp\MBDownloader_876919.exe O4 - HKLM\..\Run: [pqehenuA] C:\WINDOWS\pqehenuA.exe O4 - HKLM\..\Run: [{78-8F-FC-C1-ZN}] c:\windows\system32\msdsregl.exe SKY009 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwintndt.exe SKY009 O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [Osus] "C:\WINDOWS\PPATCH~1\logonui.exe" -vt yazb O4 - HKCU\..\Run: [Lqkgtkst] C:\WINDOWS\?ymantec\svchost.exe O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwintndt.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O15 - Trusted Zone: .amaena.com O15 - Trusted Zone: .drivecleaner.com O15 - Trusted Zone: .errorprotector.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: .imageservr.com O15 - Trusted Zone: .imagesrvr.com O15 - Trusted Zone: .systemdoctor.com O15 - Trusted Zone: .winantispyware.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: .winfixer.com O15 - Trusted Zone: .amaena.com (HKLM) O15 - Trusted Zone: .drivecleaner.com (HKLM) O15 - Trusted Zone: .errorprotector.com (HKLM) O15 - Trusted Zone: .errorsafe.com (HKLM) O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: .imageservr.com (HKLM) O15 - Trusted Zone: .imagesrvr.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .systemdoctor.com (HKLM) O15 - Trusted Zone: .winantispyware.com (HKLM) O15 - Trusted Zone: .winantivirus.com (HKLM) O15 - Trusted Zone: .winfixer.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v46/share...GamesLoader.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb12.pogo.com/game/deluxe/insa...aploader_v6.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://drmail02.ucdmc.ucdavis.edu/dwa7W.cab O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pqehenu.exe

deroock View Member Profile	Jul 25 2007, 01:20 AM Post #2
Member Group: Members Posts: 44 Joined: 29-April 07 Member No.: 127,850	I've added my combofix logfile, followed by a new hijackthis logfile..... 2007-07-24 22:48:15 - ComboFix 07-07-23.6 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ddcbcba.dll C:\WINDOWS\system32\ddcbcba.dll C:\WINDOWS\system32\hggfgfd.dll C:\WINDOWS\system32\hggfgfd.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Shannon\APPLIC~1\Sskknwrd.dll C:\Program Files\Common Files\meso83122.dll C:\Program Files\Common Files\Yazzle1281OinAdmin.exe C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Program Files\outerinfo C:\Program Files\outerinfo\Terms.rtf C:\Program Files\windows adstatus C:\Program Files\WindowsUpdate\rtenemu.html C:\temp\tn3 C:\WINDOWS\dls0523pmw.exe C:\WINDOWS\offun.exe C:\WINDOWS\ppatch~1 C:\WINDOWS\ppatch~1\logonui.exe C:\WINDOWS\rau001978.exe C:\WINDOWS\retadpu1000106.exe C:\WINDOWS\retadpu572.exe C:\WINDOWS\system32\b02FdUe C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\core.sys C:\WINDOWS\system32\dwdsregt.exe C:\WINDOWS\system32\jcf.dll C:\WINDOWS\system32\msdsregl.exe C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\T1 C:\WINDOWS\system32\T1\kmhp83122.exe C:\WINDOWS\system32\T3 C:\WINDOWS\system32\T3\wr716.exe C:\WINDOWS\system32\T5 C:\WINDOWS\system32\T5\tns2.exe C:\WINDOWS\system32\T7 C:\WINDOWS\system32\version69ie7fix.dll C:\WINDOWS\system32\wcpisu32.exe C:\WINDOWS\system32\win C:\WINDOWS\system32\winnb58.dll C:\WINDOWS\system32\winpfz32.sys C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\TISKY009.exe C:\WINDOWS\wr.txt C:\WINDOWS\ymante~1 C:\WINDOWS\ymante~1\svchost.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CORE -------\LEGACY_NET_AGENT -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS -------\core -------\Net Agent -------\Windows Overlay Components ((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 ))))))))))))))))))))))))))))))) 2007-07-24 22:44 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-24 19:59 6,467 --ahs---- C:\WINDOWS\system32\ayadd.bak2 2007-07-24 19:54 228,960 --a------ C:\WINDOWS\system32\ddaya.dll 2007-07-24 19:50 192,622 --a------ C:\WINDOWS\system32\rwintndt.exe 2007-07-24 19:49 54,784 --a------ C:\WINDOWS\pqehenu.exe 2007-07-24 19:49 1,006,352 -r-hs---- C:\WINDOWS\pqehenuA.exe 2007-07-24 19:49 <DIR> d-------- C:\WINDOWS\system32\T11 2007-07-24 19:49 <DIR> d-------- C:\Temp\brr 2007-07-24 19:49 <DIR> d-------- C:\Temp\0c2 2007-07-02 21:11 <DIR> d--hs---- C:\found.000 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-25 06:14:53 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 06:01:24 -------- d--h--w C:\Program Files\WindowsUpdate 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2006-10-25 05:05:40 35,720 ----a-w C:\DOCUME~1\Ianito\APPLIC~1\GDIPFONTCACHEV1.DAT 2004-12-06 19:34:38 16,602 ----a-w C:\Program Files\INSTALL.LOG ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EA70B0F-C1AD-4690-87D5-FB3C13C9F971}] 2007-07-24 19:54 228960 --a------ C:\WINDOWS\system32\ddaya.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] C:\WINDOWS\system32\version69ie7fix.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\version69ie7fix.dll [ ] [HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\version69ie7fix.dll [ ] [-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43] "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 C:\WINDOWS\agrsmmsg.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46] "EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-14 11:29] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 14:12] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 12:17] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47] "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 10:21] "@"="" [] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 10:39] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-15 12:57] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 22:32] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-27 19:23] "Osus"="C:\WINDOWS\PPATCH~1\logonui.exe" [] "Lqkgtkst"="C:\WINDOWS\?ymantec\svchost.exe" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20] Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-02 15:45:18] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\WindowsUpdate\rtenemu.html FriendlyName= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya] C:\WINDOWS\system32\ddaya.dll 2007-07-24 19:54 228960 C:\WINDOWS\system32\ddaya.dll R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys R1 meiudf;meiudf;C:\WINDOWS\system32\Drivers\meiudf.sys R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc8021x.sys R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\netdevio.sys R2 TBiosDrv;TBiosDrv;\??\C:\WINDOWS\System32\drivers\TBiosDrv.sys R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS R3 ApfiltrService;Alps Pointing-device Filter Driver;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys S3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys S3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys S3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys S4 wlimhsrxhjkm;wlimhsrxhjkm;C:\WINDOWS\System32\hjkm\wlimhsrx.exe Contents of the 'Scheduled Tasks' folder 2007-07-06 23:21:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-24 23:13:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\vmmreg32.dll:urwenr 9728 bytes executable C:\WINDOWS\q329112.log:cgtyi 95744 bytes executable C:\WINDOWS\Rhododendron.bmp:iuirdd 68096 bytes executable C:\WINDOWS\wiaservc.log:nrojqc 29184 bytes executable C:\WINDOWS\svcpack.log:vcvmyi 9728 bytes executable C:\WINDOWS\T30DebugLogFile.txt:ocorak 29184 bytes executable scan completed successfully hidden files: 6 ************************************************************************ Completion time: 2007-07-24 23:16:49 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-24 23:16 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 11:20:11 PM, on 7/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\cmd.exe C:\ComboFix\vfind.cfexe C:\Program Files\internet explorer\iexplore.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll (file missing) O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [Osus] "C:\WINDOWS\PPATCH~1\logonui.exe" -vt yazb O4 - HKCU\..\Run: [Lqkgtkst] C:\WINDOWS\?ymantec\svchost.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O15 - Trusted Zone: .amaena.com O15 - Trusted Zone: .drivecleaner.com O15 - Trusted Zone: .errorprotector.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: .imageservr.com O15 - Trusted Zone: .imagesrvr.com O15 - Trusted Zone: .systemdoctor.com O15 - Trusted Zone: .winantispyware.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: .winfixer.com O15 - Trusted Zone: .amaena.com (HKLM) O15 - Trusted Zone: .drivecleaner.com (HKLM) O15 - Trusted Zone: .errorprotector.com (HKLM) O15 - Trusted Zone: .errorsafe.com (HKLM) O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: .imageservr.com (HKLM) O15 - Trusted Zone: .imagesrvr.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .systemdoctor.com (HKLM) O15 - Trusted Zone: .winantispyware.com (HKLM) O15 - Trusted Zone: .winantivirus.com (HKLM) O15 - Trusted Zone: .winfixer.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v46/share...GamesLoader.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb12.pogo.com/game/deluxe/insa...aploader_v6.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://drmail02.ucdmc.ucdavis.edu/dwa7W.cab O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

miekiemoes View Member Profile	Jul 25 2007, 03:42 AM Post #3
Malware Killer Dog Group: HJT Team Posts: 18,414 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hello, I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world. That's why I want you to install them first!! Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus. Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously! Comodo OR Kerio are FREE firewalls. Understanding and using firewalls Reboot your computer afterwards. After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously. Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

deroock View Member Profile	Jul 25 2007, 07:38 PM Post #4
Member Group: Members Posts: 44 Joined: 29-April 07 Member No.: 127,850	thanks for the advice, those programs are now up and running. here's the logfile: Logfile of HijackThis v1.99.1 Scan saved at 5:36:04 PM, on 7/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\winlogon.exe C:\EZFirewall\EZFirewall-Toshiba.exe C:\DOCUME~1\Ianito\LOCALS~1\Temp\pft22~tmp\Setup.exe C:\DOCUME~1\Ianito\LOCALS~1\Temp\_ISTMP1.DIR\_INS5576._MP C:\DOCUME~1\Ianito\LOCALS~1\Temp\pft22~tmp\_ISDEL.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\Program Files\internet explorer\iexplore.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll (file missing) O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\hacrrunt.dll",forkonce O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ca.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [Osus] "C:\WINDOWS\PPATCH~1\logonui.exe" -vt yazb O4 - HKCU\..\Run: [Lqkgtkst] C:\WINDOWS\?ymantec\svchost.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O15 - Trusted Zone: .amaena.com O15 - Trusted Zone: .drivecleaner.com O15 - Trusted Zone: .errorprotector.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: .imageservr.com O15 - Trusted Zone: .imagesrvr.com O15 - Trusted Zone: .systemdoctor.com O15 - Trusted Zone: .winantispyware.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: .winfixer.com O15 - Trusted Zone: .amaena.com (HKLM) O15 - Trusted Zone: .drivecleaner.com (HKLM) O15 - Trusted Zone: .errorprotector.com (HKLM) O15 - Trusted Zone: .errorsafe.com (HKLM) O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: .imageservr.com (HKLM) O15 - Trusted Zone: .imagesrvr.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .systemdoctor.com (HKLM) O15 - Trusted Zone: .winantispyware.com (HKLM) O15 - Trusted Zone: .winantivirus.com (HKLM) O15 - Trusted Zone: .winfixer.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v46/share...GamesLoader.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb12.pogo.com/game/deluxe/insa...aploader_v6.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://drmail02.ucdmc.ucdavis.edu/dwa7W.cab O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

miekiemoes View Member Profile	Jul 26 2007, 02:55 AM Post #5
Malware Killer Dog Group: HJT Team Posts: 18,414 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, I see you are still having Microsoft Antispyware installed. This is a real outdated version. So I suggest you uninstall Microsoft Antispyware. Then, * Download DelDomains.inf and save it to your desktop. Rightclick on it and choose 'install'. Then, * Download Combofix to your desktop. Doubleclick combofix.exe Follow the prompts. Don't click on the window while the fix is running, because that will cause your system to hang. When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt. Post the contents of this log in your next reply together with a new hijackthislog. Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

deroock View Member Profile	Jul 26 2007, 11:51 AM Post #6
Member Group: Members Posts: 44 Joined: 29-April 07 Member No.: 127,850	Thanks....here are the logs: 2007-07-26 9:27:32 - ComboFix 07-07-23.6 - Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\winpfz32.sys C:\WINDOWS\system32\zxdnt3d.cfg ((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 ))))))))))))))))))))))))))))))) 2007-07-26 08:41 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-07-25 16:45 53,248 --a------ C:\WINDOWS\unezfw.exe 2007-07-25 16:45 42,176 --a------ C:\WINDOWS\system32\vsutil_oem1051.dll 2007-07-25 16:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-07-25 16:44 <DIR> d-------- C:\Program Files\CA 2007-07-25 09:39 1,734,592 ---hs---- C:\WINDOWS\system32\ayadd.ini2 2007-07-25 09:24 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-07-25 09:24 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-07-25 09:21 4,066,080 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-07-25 09:21 24,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-07-25 09:17 126,016 --a------ C:\WINDOWS\system32\hacrrunt.dll 2007-07-24 22:44 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-24 19:59 1,737,319 ---hs---- C:\WINDOWS\system32\ayadd.bak2 2007-07-24 19:54 228,960 --a------ C:\WINDOWS\system32\ddaya.dll 2007-07-24 19:49 1,006,352 -r-hs---- C:\WINDOWS\pqehenuA.exe 2007-07-24 19:49 <DIR> d-------- C:\WINDOWS\system32\T11 2007-07-24 19:49 <DIR> d-------- C:\Temp\brr 2007-07-24 19:49 <DIR> d-------- C:\Temp\0c2 2007-07-02 21:11 <DIR> d--hs---- C:\found.000 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-26 16:12:58 53,972 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-07-26 16:12:58 3,260 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-07-26 15:44:47 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:40:37 18,944 ----a-w C:\WINDOWS\vmmreg32.dll 2007-07-25 06:01:24 -------- d--h--w C:\Program Files\WindowsUpdate 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2006-10-25 05:05:40 35,720 ----a-w C:\DOCUME~1\Ianito\APPLIC~1\GDIPFONTCACHEV1.DAT 2004-12-06 19:34:38 16,602 ----a-w C:\Program Files\INSTALL.LOG ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] C:\WINDOWS\system32\version69ie7fix.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B8D9091-9C21-452F-89F0-8C817F2A68A7}] 2007-07-24 19:54 228960 --a------ C:\WINDOWS\system32\ddaya.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\version69ie7fix.dll [ ] [HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\version69ie7fix.dll [ ] [-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43] "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 C:\WINDOWS\agrsmmsg.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46] "EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-14 11:29] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 14:12] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 12:17] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47] "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 10:21] "@"="" [] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 10:39] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-15 12:57] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] "AVP"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2007-04-03 11:37] "Zone Labs Client"="C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ca.exe" [2004-03-10 13:45] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41] "Osus"="C:\WINDOWS\PPATCH~1\logonui.exe" [] "Lqkgtkst"="C:\WINDOWS\?ymantec\svchost.exe" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-02 15:45:18] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\WindowsUpdate\rtenemu.html FriendlyName= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya] C:\WINDOWS\system32\ddaya.dll 2007-07-24 19:54 228960 C:\WINDOWS\system32\ddaya.dll R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys R1 meiudf;meiudf;C:\WINDOWS\system32\Drivers\meiudf.sys R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc8021x.sys R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\netdevio.sys R2 TBiosDrv;TBiosDrv;\??\C:\WINDOWS\System32\drivers\TBiosDrv.sys R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS R3 ApfiltrService;Alps Pointing-device Filter Driver;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys S3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys S3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys S3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys S4 wlimhsrxhjkm;wlimhsrxhjkm;C:\WINDOWS\System32\hjkm\wlimhsrx.exe Contents of the 'Scheduled Tasks' folder 2007-07-06 23:21:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-26 09:37:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-26 9:39:47 C:\ComboFix-quarantined-files.txt ... 2007-07-26 09:39 C:\ComboFix2.txt ... 2007-07-24 23:16 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 9:50:58 AM, on 7/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\fgdqlilv.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\rmpyvdtm.exe C:\WINDOWS\system32\joiubkhc.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll (file missing) O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ca.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Osus] "C:\WINDOWS\PPATCH~1\logonui.exe" -vt yazb O4 - HKCU\..\Run: [Lqkgtkst] C:\WINDOWS\?ymantec\svchost.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v46/share...GamesLoader.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb12.pogo.com/game/deluxe/insa...aploader_v6.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://drmail02.ucdmc.ucdavis.edu/dwa7W.cab O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

miekiemoes View Member Profile	Jul 26 2007, 01:06 PM Post #7
Malware Killer Dog Group: HJT Team Posts: 18,414 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hello, Perform next instructions in the right order please.. * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab Select "C:\Program Files\WindowsUpdate\rtenemu.html" you find in there and press the delete button on the right. Hit ok below > apply in previous window. * Open notepad - don't use any other texteditor than notepad or the script will fail. Copy/paste the text in the quotebox below into notepad: QUOTE File:: C:\WINDOWS\system32\fgdqlilv.exe C:\WINDOWS\system32\rmpyvdtm.exe C:\WINDOWS\system32\joiubkhc.exe C:\WINDOWS\system32\ayadd.ini2 C:\WINDOWS\system32\hacrrunt.dll C:\WINDOWS\system32\ayadd.bak2 C:\WINDOWS\system32\ddaya.dll C:\WINDOWS\pqehenuA.exe Folder:: C:\WINDOWS\system32\T11 C:\Temp\brr C:\Temp\0c2 FileLook:: C:\WINDOWS\unezfw.exe Collect::[8] C:\WINDOWS\System32\hjkm\wlimhsrx.exe Driver:: wlimhsrxhjkm Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B8D9091-9C21-452F-89F0-8C817F2A68A7}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=- [-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [-HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Osus"=- "Lqkgtkst"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya] Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. * it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip * another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix. * Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK. Post the contents of Combofix.txt in your next reply together with a new HijackThislog. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

deroock View Member Profile	Jul 26 2007, 09:29 PM Post #8
Member Group: Members Posts: 44 Joined: 29-April 07 Member No.: 127,850	Thanks again. here are the two logs: 2007-07-26 18:52:39 - ComboFix 07-07-23.6 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Ianito\Desktop\CFScript.txt Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 ))))))))))))))))))))))))))))))) ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Temp\0c2 C:\Temp\0c2\tmpFF.log C:\Temp\brr C:\Temp\brr\tmpZTF.log C:\WINDOWS\pqehenuA.exe C:\WINDOWS\system32\ayadd.bak2 C:\WINDOWS\system32\ayadd.ini2 C:\WINDOWS\system32\ddaya.dll C:\WINDOWS\system32\hacrrunt.dll C:\WINDOWS\system32\T11 C:\WINDOWS\unezfw.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_WLIMHSRXHJKM -------\wlimhsrxhjkm ((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 ))))))))))))))))))))))))))))))) 2007-07-26 18:43 126,016 --a------ C:\WINDOWS\system32\iiixeskb.dll 2007-07-26 18:43 126,016 --a------ C:\WINDOWS\system32\iiixeskb.dll 2007-07-26 09:46 69,184 --a------ C:\WINDOWS\system32\usmbbnyg.dll 2007-07-26 09:46 69,184 --a------ C:\WINDOWS\system32\usmbbnyg.dll 2007-07-26 08:41 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-07-26 08:41 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-07-25 16:45 42,176 --a------ C:\WINDOWS\system32\vsutil_oem1051.dll 2007-07-25 16:45 42,176 --a------ C:\WINDOWS\system32\vsutil_oem1051.dll 2007-07-25 16:45 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat 2007-07-25 16:45 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-07-25 16:44 <DIR> d-------- C:\Program Files\CA 2007-07-25 16:44 <DIR> d-------- C:\Program Files\CA 2007-07-25 09:24 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-07-25 09:24 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-07-25 09:24 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-07-25 09:21 4,256,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-07-25 09:21 4,256,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-07-25 09:21 34,336 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-07-24 22:44 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-24 22:44 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-02 21:11 <DIR> d--hs---- C:\found.000 2007-07-02 21:11 <DIR> d--hs---- C:\found.000 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-27 02:08:08 4,292 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-07-27 02:08:07 58,052 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-07-26 15:44:47 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:40:37 18,944 ----a-w C:\WINDOWS\vmmreg32.dll 2007-07-25 06:01:24 -------- d--h--w C:\Program Files\WindowsUpdate 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2006-10-25 05:05:40 35,720 ----a-w C:\DOCUME~1\Ianito\APPLIC~1\GDIPFONTCACHEV1.DAT 2004-12-06 19:34:38 16,602 ----a-w C:\Program Files\INSTALL.LOG No new files created in this timespan (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-27 02:08:08 4,292 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-07-27 02:08:07 58,052 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-07-26 15:44:47 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:40:37 18,944 ----a-w C:\WINDOWS\vmmreg32.dll 2007-07-25 06:01:24 -------- d--h--w C:\Program Files\WindowsUpdate 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2006-10-25 05:05:40 35,720 ----a-w C:\DOCUME~1\Ianito\APPLIC~1\GDIPFONTCACHEV1.DAT 2004-12-06 19:34:38 16,602 ----a-w C:\Program Files\INSTALL.LOG ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{129E3E15-6082-4AA9-9972-0C99C03BBA23}] C:\WINDOWS\system32\ddaya.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAC40C60-CA37-483B-A06F-4D0802221262}] C:\WINDOWS\system32\ddaya.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}] 2007-07-26 09:46 69184 --a------ C:\WINDOWS\system32\usmbbnyg.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43] "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 C:\WINDOWS\agrsmmsg.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46] "EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-14 11:29] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 14:12] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 12:17] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47] [-HKEY_CLASSES_ROOT\CLSID\ATIPTA] [-HKEY_CLASSES_ROOT\CLSID\LtMoh] [-HKEY_CLASSES_ROOT\CLSID\AGRSMMSG] [-HKEY_CLASSES_ROOT\CLSID\Apoint] [-HKEY_CLASSES_ROOT\CLSID\EzButton] [-HKEY_CLASSES_ROOT\CLSID\CeEKEY] [-HKEY_CLASSES_ROOT\CLSID\TPNF] [-HKEY_CLASSES_ROOT\CLSID\PadTouch] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43] "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 C:\WINDOWS\agrsmmsg.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46] "EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-14 11:29] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 14:12] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 12:17] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47] "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 10:21] "@"="" [] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 10:39] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-15 12:57] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] "AVP"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2007-04-03 11:37] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-02 15:45:18] R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys R1 meiudf;meiudf;C:\WINDOWS\system32\Drivers\meiudf.sys R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc8021x.sys R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\netdevio.sys R2 TBiosDrv;TBiosDrv;\??\C:\WINDOWS\System32\drivers\TBiosDrv.sys R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS R3 ApfiltrService;Alps Pointing-device Filter Driver;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys S3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys S3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys S3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys Contents of the 'Scheduled Tasks' folder 2007-07-06 23:21:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-26 19:09:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-26 19:11:47 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-26 19:11 C:\ComboFix2.txt ... 2007-07-26 09:39 C:\ComboFix3.txt ... 2007-07-24 23:16 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 7:27:45 PM, on 7/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\internet explorer\iexplore.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {129E3E15-6082-4AA9-9972-0C99C03BBA23} - C:\WINDOWS\system32\ddaya.dll (file missing) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {AAC40C60-CA37-483B-A06F-4D0802221262} - C:\WINDOWS\system32\ddaya.dll (file missing) O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\usmbbnyg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v46/share...GamesLoader.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://drmail02.ucdmc.ucdavis.edu/dwa7W.cab O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

miekiemoes View Member Profile	Jul 27 2007, 02:43 AM Post #9
Malware Killer Dog Group: HJT Team Posts: 18,414 Joined: 18-February 05 From: Belgium Member No.: 12,408	I don't know what happened here and if you copied and pasted the CFScript correctly, but Combofix did some things I didn't ask it to do in the CFScript. For example, the C:\WINDOWS\unezfw.exe was uploaded to the malware channel instead of C:\WINDOWS\System32\hjkm\wlimhsrx.exe Also, ComboFix deleted the C:\WINDOWS\unezfw.exe while I only told it in the CFScript to look at the file: FileLook:: In that case, it will not delete the file.. So I don't know here if this is a bug in Combofix or if you changed something in the CFScript. We cannot doublecheck since the CFScript is deleted automatically afterwards.. Anyway, first of all, go to this folder: C:\Qoobox\quarantine\C\Windows\ and search for the file unezfw.exe.vir in there. Rename it back to unezfw.exe Then copy that file back into your C:\Windows - folder Then, * Open notepad - don't use any other texteditor than notepad or the script will fail. Copy/paste the text in the quotebox below into notepad: QUOTE File:: C:\WINDOWS\system32\iiixeskb.dll C:\WINDOWS\system32\usmbbnyg.dll Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{129E3E15-6082-4AA9-9972-0C99C03BBA23}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAC40C60-CA37-483B-A06F-4D0802221262}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}] Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

deroock View Member Profile	Jul 27 2007, 07:28 PM Post #10
Member Group: Members Posts: 44 Joined: 29-April 07 Member No.: 127,850	Thanks for your help. Not sure what happened before - I thought I did things correctly. This time the computer lost it's active desktop (all icons disappeared) after the comboxfix log appeared. I've managed to copy and paste the two logs below, then I'll reset the computer: "Ianito" - 2007-07-27 17:05:34 - ComboFix 07-07-23.6 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Ianito\Desktop\CFScript.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\iiixeskb.dll C:\WINDOWS\system32\usmbbnyg.dll ((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 ))))))))))))))))))))))))))))))) 2007-07-27 17:01 53,248 --a------ C:\WINDOWS\unezfw.exe 2007-07-26 08:41 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-07-25 16:45 42,176 --a------ C:\WINDOWS\system32\vsutil_oem1051.dll 2007-07-25 16:45 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2007-07-25 16:44 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-07-25 16:44 <DIR> d-------- C:\Program Files\CA 2007-07-25 09:24 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-07-25 09:24 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-07-25 09:21 4,318,752 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-07-25 09:21 37,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-07-24 22:44 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-02 21:11 <DIR> d--hs---- C:\found.000 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-27 02:08:08 4,292 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-07-27 02:08:07 58,052 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-07-26 15:44:47 -------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-07-25 23:40:37 18,944 ----a-w C:\WINDOWS\vmmreg32.dll 2007-07-25 06:01:24 -------- d--h--w C:\Program Files\WindowsUpdate 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2006-10-25 05:05:40 35,720 ----a-w C:\DOCUME~1\Ianito\APPLIC~1\GDIPFONTCACHEV1.DAT 2004-12-06 19:34:38 16,602 ----a-w C:\Program Files\INSTALL.LOG ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 16:43] "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 16:00 C:\WINDOWS\agrsmmsg.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46] "EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-14 11:29] "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 14:12] "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 12:17] "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 15:47] "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 10:21] "@"="" [] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 10:39] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-15 12:57] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] "AVP"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2007-04-03 11:37] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 15:41] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-12-02 15:45:18] R0 caboagp;ATI Cabo AGP Filter;C:\WINDOWS\system32\DRIVERS\atisgkaf.sys R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys R1 meiudf;meiudf;C:\WINDOWS\system32\Drivers\meiudf.sys R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc8021x.sys R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\netdevio.sys R2 TBiosDrv;TBiosDrv;\??\C:\WINDOWS\System32\drivers\TBiosDrv.sys R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS R3 ApfiltrService;Alps Pointing-device Filter Driver;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys S3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys S3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys S3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys Contents of the 'Scheduled Tasks' folder 2007-07-06 23:21:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-27 17:13:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-27 17:14:37 C:\ComboFix-quarantined-files.txt ... 2007-07-27 17:14 C:\ComboFix2.txt ... 2007-07-26 19:11 C:\ComboFix3.txt ... 2007-07-26 09:39 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 5:27:47 PM, on 7/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\EzButton\EzButton.EXE C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v46/share...GamesLoader.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://drmail02.ucdmc.ucdavis.edu/dwa7W.cab O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

miekiemoes View Member Profile	Jul 28 2007, 03:22 AM Post #11
Malware Killer Dog Group: HJT Team Posts: 18,414 Joined: 18-February 05 From: Belgium Member No.: 12,408	I guess you ran Combofix the previous time more than once at the same time which may result in such behavior. Anyway,reboot your computer and let me know how it is running now.. Your logs look clean again by the way... -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

deroock View Member Profile	Jul 28 2007, 10:40 AM Post #12
Member Group: Members Posts: 44 Joined: 29-April 07 Member No.: 127,850	Looks good now.... no more popups.....running at normal speed. Thanks again for your help.

miekiemoes View Member Profile	Jul 28 2007, 05:49 PM Post #13
Malware Killer Dog Group: HJT Team Posts: 18,414 Joined: 18-February 05 From: Belgium Member No.: 12,408	Glad I could help. Please read my Prevention page with lots of info and tips how to prevent this in the future. And if you want to improve speed/system performance after malware removal, take a look here. Happy Surfing again! -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

miekiemoes View Member Profile	Aug 4 2007, 04:30 AM Post #14
Malware Killer Dog Group: HJT Team Posts: 18,414 Joined: 18-February 05 From: Belgium Member No.: 12,408	Since this issue appears resolved ... this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 8th November 2009 - 11:15 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides