Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Malware As Far As I Know


  • Please log in to reply
13 replies to this topic

#1 kneesock

kneesock

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 11 September 2007 - 06:38 PM

Hello! I am posting this topic for my laptop (my other computer is having a simaliar problem, but I believe it to be a lot worse and I will start a separate topic for that since it's a different computer). Like my other computer, shortly after downloading the recently new IE 7, my homepage started changing itself to http://www.bydou.com/ at random times. I only see this "sometimes" here on my laptop, on my other computer it is changed everytime I log on. (So it's not as bad I guess.) Here is my HJT log! Thanks for checking it out. :thumbsup:

Out of curiousity, is it possible to accidentally spread a virus through a USB device? I'm not sure, but I have never noticed this homepage thing until I put something on a jump drive from my other infected computer and opened it over here. :flowers:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:36 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\sveeswl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Sprint PCS Connection Manager 3.0.LNK = C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F92A179-4BE0-46B9-AAC8-4814C60EC8FF}: NameServer = 68.28.122.93 68.28.114.91
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O24 - Desktop Component 0: (no name) - http://minkle.phenominet.com/emo/images/puffs/45.gif
O24 - Desktop Component 1: (no name) - http://e.deviantart.com/emoticons/b/boogie.gif

--
End of file - 8712 bytes
"Your luck has been completely changed tobay."
- Fortune Cookie

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 AM

Posted 15 September 2007 - 09:29 PM

Hello kneesock,

Looks like this laptop computer does not have an antivirus one it. :thumbsup:

This is somewhat suicidal in today's digital world!

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

*************************

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Out of curiousity, is it possible to accidentally spread a virus through a USB device?

Yes, it is possible. We are seeing more malware spread that way.

Edited by SifuMike, 15 September 2007 - 09:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kneesock

kneesock
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 September 2007 - 05:41 PM

Okay, I was downloading both Avast and Combofix at the same time, Combofix got done first and started itself up, made a system restore point, etc. and restarted my computer. Once my computer was turned back on, I started downloading Avast again and once it downloaded and installed, it wanted me to restart. I restarted my computer, it turned back on, I clicked to log on and my screen went black! I was forced to hold the button down on my computer to restart it over again. It kept doing the same thing over and over again. I did this many times to try to get it to turn back on. Finally I was able to log on someone else's account and get to the desktop. I went forward with the system restore Combofix JUST created about 20 minutes ago and now I'm back to my regular self I was about 30 minutes ago when I read your post. I'm kind of nervous about downloading Avast again. Should I try another one of those virus scanners? That was really scary.

My clock is also now set up in military time and I don't know how to change it. Combofix did that and it said it would be changed when I logged back on again.

Edited by kneesock, 16 September 2007 - 05:43 PM.

"Your luck has been completely changed tobay."
- Fortune Cookie

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 AM

Posted 16 September 2007 - 07:08 PM

Hi Kneesock,

I told you to run the antivirus first and ComboFix second. :thumbsup:

You did it backwards and it caused problems. Please read and follow my directions in the exact order.


My clock is also now set up in military time and I don't know how to change it. Combofix did that and it said it would be changed when I logged back on again.

ComboFix changes the time while it runs, and resets the time when it is finished. If it does not run to completion, then the time is set to military time.

Change the time manuly. Go Start>Settings>Control Panel>Time and Date> and manually set the time and date.

Instead of running AVAST or one of the other antivirus programs, we will first run an online virus scanner. After we have removed some of the viruses, then I will ask you to install AVAST.



You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

Edited by SifuMike, 16 September 2007 - 07:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kneesock

kneesock
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 September 2007 - 11:44 PM

Hello SifuMike... I'm sorry. I had to go somewhere that evening so I thought downloading them at the same time would make things go faster. :thumbsup: I didn't know ComboFix was going to download first and do what it did. I should have known better. It won't happen again.

Here is the BitDefender Scanner Log

BitDefender Online Scanner



Scan report generated at: Sun, Sep 16, 2007 - 12:32:07





Scan path: C:\;D:\;







Statistics

Time
01:03:46

Files
271787

Folders
9020

Boot Sectors
3

Archives
8806

Packed Files
15200




Results

Identified Viruses
1

Infected Files
14

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
12




Engines Info

Virus Definitions
804186

Engine build
AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052521.dll
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052521.dll
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052521.dll
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052522.dll
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052522.dll
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052522.dll
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052523.dll
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052523.dll
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052523.dll
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052524.dll
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052524.dll
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052524.dll
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052525.exe
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052525.exe
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052525.exe
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052526.exe
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052526.exe
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052526.exe
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052527.dll
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052527.dll
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052527.dll
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052528.exe
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052528.exe
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052528.exe
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052544.exe
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052544.exe
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0052544.exe
Deleted

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0053530.dll
Infected with: Trojan.Kercix.A

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0053530.dll
Disinfection failed

C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP212\A0053530.dll
Deleted

C:\WINDOWS\system32\or.dll
Infected with: Trojan.Kercix.A

C:\WINDOWS\system32\or.dll
Disinfection failed

C:\WINDOWS\system32\or.dll
Deleted

C:\WINDOWS\system32\sxyfz.exe
Infected with: Trojan.Kercix.A

C:\WINDOWS\system32\sxyfz.exe
Disinfection failed

C:\WINDOWS\system32\sxyfz.exe
Delete failed

C:\WINDOWS\system32\weix.dll
Infected with: Trojan.Kercix.A

C:\WINDOWS\system32\weix.dll
Disinfection failed

C:\WINDOWS\system32\weix.dll
Delete failed

C:\WINDOWS\system32\xyfz.exe
Infected with: Trojan.Kercix.A

C:\WINDOWS\system32\xyfz.exe
Disinfection failed

C:\WINDOWS\system32\xyfz.exe
Deleted

Attached Files


"Your luck has been completely changed tobay."
- Fortune Cookie

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 AM

Posted 16 September 2007 - 11:51 PM

Hi Kneesock,

Great. :thumbsup: BitDefender removed some of the viruses, so we are making progress.

Now see if you can run ComobFix again.
Go back and read the ComboFix instructions and follow them.

Edited by SifuMike, 16 September 2007 - 11:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kneesock

kneesock
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 18 September 2007 - 05:52 PM

:thumbsup: Glad to hear it. Everything went perfectly - no problems. Here are logs for ComboFix and HijackThis.

Attached Files


"Your luck has been completely changed tobay."
- Fortune Cookie

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 AM

Posted 18 September 2007 - 05:59 PM

Hi

Do me a favor and post the ComboFix and Hijackthis logs, but do not attach them.
Attachments are hard to read. Thanks. :thumbsup:

Edited by SifuMike, 18 September 2007 - 06:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kneesock

kneesock
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 18 September 2007 - 07:53 PM

Oh! Sorry about that. Here you go.

ComboFix 07-09-18.4 - "My Name" 2007-09-19 4:00:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1596 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-16 21:09 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-16 20:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 03:15 <DIR> d-------- C:\Temp
2007-09-15 18:21 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-11 21:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-08 01:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 01:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-02 01:48 <DIR> d-------- C:\Program Files\High-Logic
2007-09-02 01:48 <DIR> d-------- C:\DOCUME~1\My Name~1\APPLIC~1\FontCreator
2007-09-01 22:26 <DIR> d-------- C:\Program Files\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 08:55 --------- d-------- C:\Program Files\MX240a
2007-09-16 06:45 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-08 01:39 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 00:14 --------- d-------- C:\Program Files\Jasc Software Inc
2007-08-07 16:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 16:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-25 03:07 --------- d-------- C:\DOCUME~1\My Name~1\APPLIC~1\uk.co.planetside
2007-07-25 03:01 --------- d-------- C:\Program Files\Terragen
2007-07-22 02:28 --------- d-------- C:\Program Files\Novatel Wireless
2007-07-19 21:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2004-02-22 01:00:00 28,672 --sh--w C:\WINDOWS\system32\p.dll
2004-02-22 01:00:00 57,344 --sh--w C:\WINDOWS\system32\sxyfz.exe
2002-01-05 01:00:00 28,672 --sh--w C:\WINDOWS\system32\weix.dll
2000-02-24 01:00:00 147,456 --sh--w C:\WINDOWS\system32\xyfz.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2005-12-21 23:29]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 17:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 03:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 03:32]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 09:29 C:\WINDOWS\agrsmmsg.exe]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2005-10-06 08:20]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37]
"CFSServ.exe"="CFSServ.exe" []
"atwtusb"="atwtusb.exe" [2005-02-03 12:37 C:\WINDOWS\system32\atwtusb.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 18:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 09:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 11:31:42]
Sprint PCS Connection Manager 3.0.LNK - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe [2006-10-13 17:43:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-21 23:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\My Name\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Corel Registration.lnk]
path=C:\Documents and Settings\My Name\Start Menu\Programs\Startup\Corel Registration.lnk
backup=C:\WINDOWS\pss\Corel Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^MX240a.lnk]
path=C:\Documents and Settings\My Name\Start Menu\Programs\Startup\MX240a.lnk
backup=C:\WINDOWS\pss\MX240a.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys
R2 FdRedir;FdRedir;\??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
R2 FileDisk2;FileDisk Protector Kernel Driver;\??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
R2 smihlp;SMI helper driver;\??\C:\Program Files\Protector Suite QL\smihlp.sys
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys
S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
S3 NWUSBModem;Novatel Wireless USB Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 NWUSBPort;Novatel Wireless USB Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser.sys
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{098c5d6a-af25-11db-8d4a-00038a000015}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winlo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e389e60e-0b93-11db-b78d-00038a000015}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winlo.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 05:01:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 04:08:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 4:09:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 04:09
C:\ComboFix2.txt ... 2007-09-16 20:59
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:04 AM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\sxyfz.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Sprint PCS Connection Manager 3.0.LNK = C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O24 - Desktop Component 0: (no name) - http://minkle.phenominet.com/emo/images/puffs/45.gif
O24 - Desktop Component 1: (no name) - http://e.deviantart.com/emoticons/b/boogie.gif

--
End of file - 8776 bytes
"Your luck has been completely changed tobay."
- Fortune Cookie

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 AM

Posted 18 September 2007 - 08:55 PM

Hi kneesock,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\WINDOWS\system32\p.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\sxyfz.exe
C:\WINDOWS\system32\weix.dll
C:\WINDOWS\system32\xyfz.exe


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 kneesock

kneesock
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 19 September 2007 - 05:51 PM

I cannot get my laptop to turn on now. :thumbsup: The screen goes black and it sounds like it powers down after I see the Windows XP loading screen. I don't know what to do. I really needed some of the files off of my computer tonight and now I'm worried. I tried starting it in Safe Mode, Last known good confirguration mode and Debugging mode and it did all the same thing. Is there a way to do a system restore without having your computer on? I looked for discs that came with my laptop and I could only find 2 discs that had to do with wiping the whole drive for recovery. I am very upset. :flowers:
"Your luck has been completely changed tobay."
- Fortune Cookie

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 AM

Posted 19 September 2007 - 06:53 PM

Hi kneesock,

Is there a way to do a system restore without having your computer on? I looked for discs that came with my laptop and I could only find 2 discs that had to do with wiping the whole drive for recovery. I am very upset.



Sorry to hear you having major problems with your computer. :thumbsup:
There is no way to do a system resotre without having your computer on. It has to be up and running to insert the windows install CDs.

It sounds like you may have a hardware, or driver problem, but I am not an expert on that.

Since my specialty is malware removal, not Windows XP, I am going to refer you to our experts at the Windows XP Home and Professional forum.


The techs in that forum specialize in matters pertaining to Windows issues. Let them know that you have been to this forum and that your computer began to belly up.

When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 kneesock

kneesock
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 19 September 2007 - 08:28 PM

Thank you, SifuMike. You have been a great help so far. :thumbsup: I am sorry to see this happen. IF I can get my computer to turn on from this point, will you be here to further assist me to get rid of this virus? I would hate to start all over again and I am sure you can understand that!
"Your luck has been completely changed tobay."
- Fortune Cookie

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 AM

Posted 19 September 2007 - 09:30 PM

I am sorry too. :thumbsup:

I will leave this thread open so you can post here after our Windows XP forum experts help you.

They have far more experience than I do with Windows problems like you are having.

Did this just happen? Did you do anything on the computer before the problem occured?

Last thing I asked you to do was run a virus scanner, and that would not cause a problem.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users