Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Slow Performance - Outerinfo


  • Please log in to reply
11 replies to this topic

#1 Ultra Classic

Ultra Classic

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 16 October 2007 - 05:55 PM

Thanks in advance for anything you can suggest.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:00 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {62847C44-E7F0-E157-A841-992B2C90DFB5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8659 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 18 October 2007 - 10:16 AM

Ultra Classic

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 Ultra Classic

Ultra Classic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 21 October 2007 - 08:37 PM

Here's the ComboFix Log. Thanks!

ComboFix 07-10-22.1 - Nick 2007-10-21 21:24:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.42 [GMT -4:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nick\My Documents\SMBOLS~1
C:\Documents and Settings\Nick\My Documents\TSKS~1
C:\Program Files\asks~1
C:\Program Files\asks~1\?asks\
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\icroso~1
C:\Program Files\icroso~1.net
C:\WINDOWS\sks~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\wnscpicomsv.exe
C:\WINDOWS\tsitra11.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-21 21:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 20:46 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-16 20:46 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-16 20:23 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2007-10-16 20:23 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2007-10-16 20:23 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2007-10-16 20:23 38,784 --a--c--- C:\WINDOWS\system32\dllcache\io8.sys
2007-10-16 20:23 35,328 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll
2007-10-16 20:18 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2007-10-16 20:18 82,304 --a--c--- C:\WINDOWS\system32\dllcache\grclass.sys
2007-10-16 20:18 36,864 --a--c--- C:\WINDOWS\system32\dllcache\hanjadic.dll
2007-10-16 20:18 32,256 --a--c--- C:\WINDOWS\system32\dllcache\gzip.dll
2007-10-16 20:18 28,288 --a--c--- C:\WINDOWS\system32\dllcache\grserial.sys
2007-10-16 20:18 19,200 --a--c--- C:\WINDOWS\system32\dllcache\hidbatt.sys
2007-10-16 20:17 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-10-16 20:17 322,432 --a--c--- C:\WINDOWS\system32\dllcache\g400m.sys
2007-10-16 20:17 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-10-16 20:17 46,464 --a--c--- C:\WINDOWS\system32\dllcache\gagp30kx.sys
2007-10-16 20:17 17,408 --a--c--- C:\WINDOWS\system32\dllcache\gpr400.sys
2007-10-16 20:17 10,624 --a--c--- C:\WINDOWS\system32\dllcache\gameenum.sys
2007-10-16 20:06 829,440 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.dll
2007-10-16 20:06 68,608 --a--c--- C:\WINDOWS\system32\dllcache\isatq.dll
2007-10-16 20:06 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-16 20:06 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll
2007-10-16 20:06 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2007-10-16 20:06 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe
2007-10-16 20:06 13,312 --a--c--- C:\WINDOWS\system32\dllcache\infoadmn.dll
2007-10-16 20:06 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2007-10-16 18:19 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\MSNInstaller
2007-10-15 19:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-15 04:57 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-15 04:57 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-15 04:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-15 04:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-15 04:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-15 04:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-15 04:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-15 04:57 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-14 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-14 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-14 19:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-14 17:25 <DIR> d-------- C:\WINDOWS\pss
2007-10-09 20:07 249,856 --a------ C:\WINDOWS\system32\LxrJD31.dll
2007-10-09 20:07 163,840 --a------ C:\WINDOWS\system32\LxrJD31c.exe
2007-10-09 20:07 146,432 --a------ C:\WINDOWS\system32\LxrJD31p.exe
2007-10-09 20:07 71,168 --a------ C:\WINDOWS\system32\LxrJD31s.exe
2007-10-09 20:07 69,824 --a------ C:\WINDOWS\system32\drivers\LxrJD31d.sys
2007-10-09 20:07 61,440 --a------ C:\WINDOWS\system32\LxrJD20Sat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 09:42 --------- d-----w C:\Program Files\Trend Micro
2007-10-15 00:28 --------- d-----w C:\Program Files\Java
2007-09-15 02:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 01:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 01:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 01:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 01:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 01:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 01:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 01:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 01:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 01:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62847C44-E7F0-E157-A841-992B2C90DFB5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 00:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 19:48]
"NDSTray.exe"="NDSTray.exe" []
"Toshiba Hotkey Utility"="c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 13:57]
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 01:06]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 14:44 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 11:22 C:\WINDOWS\agrsmmsg.exe]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 15:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 04:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 17:06]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 10:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-10-19 02:10:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bpfg]
C:\WINDOWS\system32\?ecurity\w?aclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dmos]
"C:\PROGRA~1\ASKS~1\dllhost.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Community Tools]
"C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vwbsyd]
"C:\Documents and Settings\Nick\My Documents\?racle\s?rvices.exe"

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c91797d-ab4e-11db-ab08-00163695f5ff}]
AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b37d2ea-7601-11dc-abf0-00163695f5ff}]
AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a91cb90-941a-11db-aaf2-00163695f5ff}]
AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
play\command - "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-22 01:11:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 21:28:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 21:28:52
.
--- E O F ---

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 October 2007 - 08:41 AM

Ultra Classic

Well done.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\?ecurity\w?aclt.exe
C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe
C:\Documents and Settings\Nick\My Documents\?racle\s?rvices.exe

Folder::
C:\WINDOWS\system32\?ecurity
C:\PROGRA~1\ASKS~1
C:\Program Files\MyWebSearch
C:\Documents and Settings\Nick\My Documents\?racle

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bpfg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dmos]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Community Tools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vwbsyd]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Edited by bamajim, 22 October 2007 - 08:56 AM.

Posted Image
Microsoft MVP - Windows Security

#5 Ultra Classic

Ultra Classic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 22 October 2007 - 05:47 PM

Wow, thanks for your help. This log was created after we followed your latest instructions. Please let us know what we need to do next. Thanks again for all your help.



ComboFix 07-10-22.1 - Nick 2007-10-22 18:23:05.2 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript

FILE::
C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-21 21:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 20:46 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-16 20:46 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-16 20:23 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2007-10-16 20:23 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2007-10-16 20:23 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2007-10-16 20:23 38,784 --a--c--- C:\WINDOWS\system32\dllcache\io8.sys
2007-10-16 20:23 35,328 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll
2007-10-16 20:18 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2007-10-16 20:18 82,304 --a--c--- C:\WINDOWS\system32\dllcache\grclass.sys
2007-10-16 20:18 36,864 --a--c--- C:\WINDOWS\system32\dllcache\hanjadic.dll
2007-10-16 20:18 32,256 --a--c--- C:\WINDOWS\system32\dllcache\gzip.dll
2007-10-16 20:18 28,288 --a--c--- C:\WINDOWS\system32\dllcache\grserial.sys
2007-10-16 20:18 19,200 --a--c--- C:\WINDOWS\system32\dllcache\hidbatt.sys
2007-10-16 20:17 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-10-16 20:17 322,432 --a--c--- C:\WINDOWS\system32\dllcache\g400m.sys
2007-10-16 20:17 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-10-16 20:17 46,464 --a--c--- C:\WINDOWS\system32\dllcache\gagp30kx.sys
2007-10-16 20:17 17,408 --a--c--- C:\WINDOWS\system32\dllcache\gpr400.sys
2007-10-16 20:17 10,624 --a--c--- C:\WINDOWS\system32\dllcache\gameenum.sys
2007-10-16 20:06 829,440 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.dll
2007-10-16 20:06 68,608 --a--c--- C:\WINDOWS\system32\dllcache\isatq.dll
2007-10-16 20:06 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-16 20:06 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll
2007-10-16 20:06 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2007-10-16 20:06 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe
2007-10-16 20:06 13,312 --a--c--- C:\WINDOWS\system32\dllcache\infoadmn.dll
2007-10-16 20:06 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2007-10-16 18:19 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\MSNInstaller
2007-10-15 19:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-15 04:57 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-15 04:57 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-15 04:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-15 04:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-15 04:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-15 04:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-15 04:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-15 04:57 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-14 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-14 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-14 19:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-14 17:25 <DIR> d-------- C:\WINDOWS\pss
2007-10-09 20:07 249,856 --a------ C:\WINDOWS\system32\LxrJD31.dll
2007-10-09 20:07 163,840 --a------ C:\WINDOWS\system32\LxrJD31c.exe
2007-10-09 20:07 146,432 --a------ C:\WINDOWS\system32\LxrJD31p.exe
2007-10-09 20:07 71,168 --a------ C:\WINDOWS\system32\LxrJD31s.exe
2007-10-09 20:07 69,824 --a------ C:\WINDOWS\system32\drivers\LxrJD31d.sys
2007-10-09 20:07 61,440 --a------ C:\WINDOWS\system32\LxrJD20Sat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 09:42 --------- d-----w C:\Program Files\Trend Micro
2007-10-15 00:28 --------- d-----w C:\Program Files\Java
2007-09-15 02:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 01:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 01:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 01:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 01:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 01:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 01:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 01:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 01:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 01:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-21_21.28.22.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-22 01:16:43 190,678 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfss.bin
+ 2007-10-22 22:24:54 190,678 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfss.bin
- 2007-10-22 01:22:53 190,678 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfud.bin
+ 2007-10-22 22:31:46 190,678 ----a-w C:\WINDOWS\system32\drivers\etc\tmvsthfud.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62847C44-E7F0-E157-A841-992B2C90DFB5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 00:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 19:48]
"NDSTray.exe"="NDSTray.exe" []
"Toshiba Hotkey Utility"="c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 13:57]
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 01:06]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 14:44 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 11:22 C:\WINDOWS\agrsmmsg.exe]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 15:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 04:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 17:06]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 10:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-10-19 02:10:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys
R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys
R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c91797d-ab4e-11db-ab08-00163695f5ff}]
AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b37d2ea-7601-11dc-abf0-00163695f5ff}]
AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a91cb90-941a-11db-aaf2-00163695f5ff}]
AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
play\command - "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-22 01:11:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 18:32:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 18:39:13
C:\ComboFix2.txt ... 2007-10-21 21:28
.
--- E O F ---

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 23 October 2007 - 08:30 AM

Ultra Classic

Good job.

Could I see one more fresh Hijackthis log?
Posted Image
Microsoft MVP - Windows Security

#7 Ultra Classic

Ultra Classic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 23 October 2007 - 05:19 PM

BamaJim

Here you go. Some improvement, but still sluggish at start up. Thanks again.

Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 6:09:18 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {62847C44-E7F0-E157-A841-992B2C90DFB5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8530 bytes

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 24 October 2007 - 09:10 AM

Ultra Classic

1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
2. Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan

==========

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.


Ultra Classic

1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
2. Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan

==========

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Ultra Classic

1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
2. Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan

==========

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.
Posted Image
Microsoft MVP - Windows Security

#9 Ultra Classic

Ultra Classic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 24 October 2007 - 09:52 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 24, 2007 10:45:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/10/2007
Kaspersky Anti-Virus database records: 444164
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 62873
Number of viruses found: 12
Number of infected objects: 39
Number of suspicious objects: 2
Duration of the scan process: 01:29:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10152007-163332.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C62EDD42-DCA7-4155-9BAE-EC766DB4AC60} Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temp\~DFC021.tmp Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temp\~DFC055.tmp Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nick\ntuser.dat.LOG Object is locked skipped
C:\Downloads\hjt\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\hjt\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\hjt\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\147.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\152.tmp/data0007 Infected: Trojan-Downloader.Win32.Zlob.cok skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\152.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\152.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\15E.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\15F.tmp Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\1E.tmp/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.av skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\1E.tmp CAB: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\1E.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\34.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\41.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\41.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\41.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\46.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\4A.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E5.tmp Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\ED.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EE.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EF.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F0.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F1.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F2.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F3.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F4.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F5.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F6.tmp Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F7.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F8.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP45\A0235948.dll Infected: Trojan-Downloader.Win32.Zlob.cou skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP45\A0235950.exe Infected: Trojan-Downloader.Win32.Zlob.cps skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP45\A0236948.dll Infected: Trojan-Downloader.Win32.Zlob.cou skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP45\A0236949.exe Infected: Trojan-Downloader.Win32.Zlob.cps skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP46\A0236985.dll Infected: Trojan-Downloader.Win32.Bojo.e skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP46\A0236988.exe Infected: Trojan-Downloader.Win32.Zlob.cps skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP46\A0236991.dll Infected: Trojan-Downloader.Win32.Zlob.cou skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP63\A0242097.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP66\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E5C52D81-EDAA-4BD7-B04D-01BAAB7798FF}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5e0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 25 October 2007 - 08:01 AM

Ultra Classic

Looks good. You need to emtpy your Trend Quarantine folder.

How's your PC running now?
Posted Image
Microsoft MVP - Windows Security

#11 Ultra Classic

Ultra Classic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 25 October 2007 - 07:27 PM

Many thanks. Working great -- Bleeping Computer Rocks.

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 26 October 2007 - 11:00 AM

Ultra Classic

You are most welcome

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Update your Anti Virus Software

Use and maintain a Firewall

Download and install SiteHound by Firetrust for protection against malicious websites.

Pick the version that matches your browser

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users