Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Moderator Quietman7 Said Post A Hijackthis Log - I Think I'm Infected!


  • This topic is locked This topic is locked
81 replies to this topic

#1 Gary's Girl

Gary's Girl

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 31 October 2007 - 05:25 PM

Toshiba Satellite M45-S355; 1.8 Ghz Intel Processor; 1 GB RAM; 100 GB HDD; XP Home SP2

After I STUPIDLY downloaded a free grapics converter, the computer started misdirecting websites and opening programs by itself. I ran Nortons AV, Ad-Aware Plus, Spy Sweeper, Panda Totalscan and Trend Micro Housecall. Totalscan found an RKInstaller but couldn't delete it. I removed Norton's and purchased Zone Alarm Internet Security Suite and ran its scans. Someone also told me there was a rootkit on the drive and to reformat.

I used the Toshiba recovery CD and noticed that it only did a quick format before reinstalling Windows. After the recovery, I updated Windows and set it to Automatic Update, which it has done several times since then. Also, the recovery CD put all the extra junk Toshiba had loaded when it was new and I took a lot of that stuff off again. Even though the computer was running much slower than it ever had before the recovery, I did go ahead and reinstall some of my programs and files (not nearly all).

Since then, the computer has had the same problems of spawning programs and misdirecting websites two or three times; however, a blue screen memory dump has happened several times and, as I said, the computer is too slow. Also, it freezes up and has to be turned off with the power button and restarted several times a day - which is something else it wasn't doing before.

I posted my problem in another forum, and Quietman7 (moderator) responded and said that a quick format would not have gotten rid of all the problems and that I should post a HiJackThis log. I have followed all of the instructions in the link he sent me to which gave instructions about preparing to send the log.

Today before I got his message, I had registered with your site and already run:
Pitstop (which I had to pay for to get it to fix the Trojans it found and then it said it couldn't fix the Trojans it found);
A-squared, which stalled (after it said it had found 136 'items') and had to be terminated before the final result;
and early this morning I ran Panda Totalscan (which I bought a subscription to after the recovery);
and Trend Micro Housecall, and they only found a couple of minor cookie things.

Today, I also ran Spy Sweeper and it found nothing;
ran Ad-aware Plus three times and removed the things it found the first and second times, although none of them were serious;
ran Spy-bot Search and Destroy twice (it found and deleted a couple of 'click' something or others);
and have SpywareBlaster installed, too.

I shut the system down several times between scans. I also deleted all the temp files and cookies and emptied my recycle bin.

Then, I only lacked the Stinger scan (it found nothing) and the Bit Defender scan (it found Trojan.SwfDL and GenPack:Generic.Lineage.93900A89. It said it couldn't disinfect them, then it said it deleted them).

I have a Windows XP Pro CD that was used on my previous computer which died and was scrapped before I bought this one - - it's a 2002 OEM version, but I don't know if it's okay to use an OEM CD from another computer or even if it's legal to reuse a Microsoft product even though it's not the same computer but the same owner. If anyone knows the answer to that, I could reformat from scratch and use the Pro CD, but I'm not sure how to proceed with that.

I greatly appreciate any help anyone can give. Thanks, thanks, and more thanks in advance. Here's the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:45 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] "C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" -boot
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193721760345
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...152/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10461 bytes


Again, thanks so much.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 02 November 2007 - 01:59 PM

Hello HomesickInTexas,

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

After running the antivirus program, reboot and post a fresh Hijackthis log.



I can see you have Spybot Teatimer running, but do you also have Spysweeper and Adaware AdWatch registry protectors running?
You should be running only ONE registry protector on your computer.
More than one will greatly slow your computer.

To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

Edited by SifuMike, 02 November 2007 - 02:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Gary's Girl

Gary's Girl
  • Topic Starter

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 02 November 2007 - 05:17 PM

Dear SifuMike;

Thank you so much for your reply! I REALLY appreciate your help.

Is it possible you missed Zone Alarm Internet Security (with anti-virus) when you checked the log? It is installed and says that everything is working. It's possible that in following the instructions for preparation to post a HiJackThis log that I may have turned it off and didn't turn it back on before running HiJackThis. I didn't think so - with all the rebooting between scans, the whole suite would have been restarted. Zone Alarm is the only anti-virus I have installed and it's the only firewall activated, since I have Windows firewall turned off.

Anyway, I made sure it had updated today and then ran a full virus scan about noon; it found nothing. I also ran: PitStop Exterminate's free scan; SpyBot (found nothing); Ad-Aware Plus (found a few tracking cookies); Spy Sweeper (found nothing); * Spyware Doctor (a few more cookies); and * Max Spyware Detector.

You'll notice that I installed the other 2 anti-spyware * programs I own today. When I ran the Pitstop scan I was mortified that it found something called a "Kitten Free Sex Dialer." Nothing I had installed would locate it, and I didn't know how to get it off my system. Spyware Doctor didn't find it, either, but Max Spyware Detector found 9 registry entries with a reference to it and deleted them; I'm not sure if that means it's all gone or not.

I NEVER look at pornograpy! So few other people ever use my computer, but we recently had a houseguest we'd taken in temporarily because he was homeless. I woke up at 2:30 one morning and found him with MY laptop, looking at porn sights. We woke him up and put him out of the house immediately, but I guess it was too late.

Later, I checked the history folder and found he'd done that every night he'd been there and had visited over 100 porn sites those 5 nights. I thought I had gotten all that junk off, especially since I used the Toshiba recovery disk last week. From now on I keep my laptop in my room when we have guests at night!

I turned off Spy Sweeper's shields; turned off TeaTimer; turned off Zone Alarm's Spyware Guard (left everything else, including the anti-virus, running); and turned off Spyware Doctor's realtime protection. The only spyware guard or registry change guard I have running is Max Spyware Detector - at least I think that's the case. This stuff is SO CONFUSING to a non-techie.

Can you tell me if I made the right decision about the guards? It looks as if Max Spyware Detector has the most definitions in its database. Should I just go ahead and delete Spybot, the freebie? What about SpywareBlaster, another freebie? Everything I read says that you need several anti-spyware programs because there are so many threats out there; however, I've also read that they can conflict with one anther.

Also, please note that the computer was running more slowly than it ever had immediately after the recovery, before I'd put anything at all on it, just trying to uninstall all of the Toshiba software I didn't want.

It dawned on me when I got your message that everything I install or change will probably change the HiJackThis log. I am so sorry. I won't change ANYTHING else until I hear from you again.

I'm adding another HiJackThis log, just after rebooting following all the scans. Again, I apologize for having to submit another log. And thanks, thanks, thanks again for your help. I appreciate it more than I can possibly say.

Sharon (Homesick in Texas)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:26 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193721760345
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...152/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10425 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 02 November 2007 - 05:44 PM

Hello HomesickInTexas,

Is it possible you missed Zone Alarm Internet Security (with anti-virus) when you checked the log? It is installed and says that everything is working. It's possible that in following the instructions for preparation to post a HiJackThis log that I may have turned it off and didn't turn it back on before running HiJackThis.


It was turned off previously, and that was the reason I did not see it.


turned off Spy Sweeper's shields; turned off TeaTimer; turned off Zone Alarm's Spyware Guard (left everything else, including the anti-virus, running); and turned off Spyware Doctor's realtime protection. The only spyware guard or registry change guard I have running is Max Spyware Detector - at least I think that's the case. This stuff is SO CONFUSING to a non-techie.

Can you tell me if I made the right decision about the guards? It looks as if Max Spyware Detector has the most definitions in its database. Should I just go ahead and delete Spybot, the freebie? What about SpywareBlaster, another freebie? Everything I read says that you need several anti-spyware programs because there are so many threats out there; however, I've also read that they can conflict with one anther.


You need one registry protector enabled.
I recommend you enable Spybot Teatimer and leave the Spysweeper turned off, as well as SpywareGuard. Having two many registry protectors running just slows your compter.

Leave SpywareBlaster, as that prevents spyware from being installed. It is not a registry protector, and uses no memory.


I see no malware in you Hijackthis log, :thumbsup: but we can remove one item to improve startup time.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************



Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.


Let's see what you have installed on this computer.

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
A notepad file will open.
Post the content here in your reply.
Close HijackThis.

Edited by SifuMike, 02 November 2007 - 05:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Gary's Girl

Gary's Girl
  • Topic Starter

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 02 November 2007 - 10:16 PM

SifuMike;

Okay, here's what I've done, as per your instructions - hope I understood everything right:

1. Turned off the realtime protection in: Spy Sweeper
2. Turned off the realtime protection in: The anti-spyware guard of Zone Alarm
3. Left SpywareBlaster on.
4. Turned on Spybot's Teatimer (a lot of the 'allow' or 'block' it asks me I have to guess about because I don't know the answer!).
5. Let HiJackThis fix the o4 - HKLM\...\Run: {SunJava UpdateSched]\"c:"\Program Files\Java\jre1.6.0_03\bin\jusched.exe.
6. Downloaded and installed CCleaner.
7. Unchecked "Only delete files in Windows Temp folder older than 48 hours."
8. In Windows Tab, made sure everything in Internet Explorer was checked EXCEPT "Autocomplete Forum History."
9. In Windows Tab, made sure everything was checked in Windows Explorer.
10. In Windows Tab, made sure everything was checked in the System section EXCEPT for "Start Menu Shortcuts" and "Desktop Shortcuts."
11. In the Applications Tab, clicked "Sun Jave" in the Internet section (I don't have Firefox or Opera installed).
12. And I REALLY hope I understood this part correctly: I DID NOT use the "Scan for Issues" button in the "Registry Button." - - AND I unchecked everything
in the "Registry Integrity" box.
13. Clicked "Clean" and "OK". It said it removed 13.8 MB.

But then, when I x-ed out of the program so I could reboot the system as you instructed, IMMEDIATELY got a blue screen STOP ERROR: BAD_POOL_CALLER. (Then of course - all the stuff about uninstalling new hardware/software), then STOP: 0x0000000C1 (0x00000007, 0x00000CD4, 0x0000000,OxE33227C8).
The physical memory dumped and I had to use the power button to turn off and reboot. I've gotten that blue screen several times but never have seen the 'BAD_POOL_CALLER' phrase. Also, when the machine rebooted, I didn't get the Microsoft Windows Error Reporting option.
Anyway, here's the HiJackThis uninstall list:

Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Apple Mobile Device Support
Apple Software Update
CCleaner (remove only)
CD/DVD Drive Acoustic Silencer
DAO 3.5
DVD-RAM Driver
Encyclopaedia Britannica 2005 Deluxe Edition CD-ROM
e-Sword
Hear and Play Software
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Update
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
Java™ 6 Update 3
Lotus NotesSQL 3.01 driver
Lotus SmartSuite - English
Mah Jong Medley
mCore
mDrWiFi
mEoU.msi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
mIWA
mIWCA
mLogView
mMHouse
modulation1setup
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB936181)
mWlsSafe
mXML
mZConfig
PacMania
Panda TotalScan
Pattern Piano and Keyboard Demo
PCPitstop Panda AntiVirus Scan (remove only)
Picasa 2
Professor Franklin
Quicken Deluxe 2000
QuickTime
RealPlayer Basic
Roxio Burn Engine
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Shockwave
Sonic DLA
Sonic RecordNow!
SoundMAX
Spy Sweeper
Spybot - Search & Destroy
Spyware Detector (recently purchased)
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Super TextTwist
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
The Print Shop 20
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Media Player
WeatherBug
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Worship Lessons for Piano and Keyboard Vol. 2
ZoneAlarm Security Suite

All the programs I have installed are programs I've run for a long time and never had trouble with. All that Toshiba stuff it put on when I used the recovery disk, I'd like to uninstall - but I'm not sure what I can safely get rid of in this Toshiba installation. Before the recovery, remember that the computer had been formatted and Windows XP Pro installed only - none of the Toshiba stuff was on here. There's a ConfigFree thing that I have to shut off every time I boot up and I don't know what that other Toshiba stuff does. If you know what I can safely get rid of without messing something up, that would be great.

Here is my list of programs that I know what they are and I use them and want to keep them if at all possible (I have a lot of money invested in some of them):
Ad-Aware Plus 2007
Encyclopedia Britannica
e-Sword (a free Bible software program that I've purchased lots of add-ons for - used for 2 years)
Hear and Play Software (Piano Course)
HP is my printer
Lotus SmartSuite (word processor)
Mah Jong Medley (game I've had 2-3 years)
PacMania (game I've had several years)
Panda Totalscan (paid for)
Pattern Piano and Keyboard (Part of the Piano Course)
Picasa 2 (free microsoft picture viewer)
Professor Franklin (photo editor)
Quicken
Quick Time (unless I need to take it off - free, didn't pay for it)
Real Player (unless I need to take it off - free, didn't pay for it)
Sonic (CD burner)
Spy Sweeper (if I can still use it to scan, even though realtime protection turned off)
Super TextTwist (game I've had 2-3 years)
The Print Shop (DTP)
Weather Bug (Free weater forcast and temperature)
Windows Defender (if I need it)
Windows Media Player, of course.
Worship Lessons for Piano... (Part of Piano Course)
Zone Alarm (Internet Security Suite)

Also, should I take CCleaner off now since it's dangerous to use it if you don't know what you're doing? Because I took off a lot of trial stuff Toshiba recovery put on, do we need to do something with the registry integrity part?

Thanks ever so much for your assistance. You are VERY GREATLY APPRECTIATED!

Sharon (Homesick In Texas)

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 02 November 2007 - 10:55 PM

Hi Sharon,

Also, should I take CCleaner off now since it's dangerous to use it if you don't know what you're doing? Because I took off a lot of trial stuff Toshiba recovery put on, do we need to do something with the registry integrity part?


CCleaner is safe to use. Only thing you do NOT want to touch is the Registry Box. Just too dangerous for most users. CCleaner just deletes temp files and temp application files.

If you uninstalled Toshiba trial stuff that is all you need to do. No registy changes are necessary.

none of the Toshiba stuff was on here. There's a ConfigFree thing that I have to shut off every time I boot up and I don't know what that other Toshiba stuff does. If you know what I can safely get rid of without messing something up, that would be great.


I am not a Toshiba expert and I dont know what those Toshiba programs do, so I cant give you recomendations of what to uninstall. Some of them may be necessary.
You should go to another of our forums and ask someone that is a Toshiba expert.


Lets run ComboFix and see what it finds. Maker sure you disable you antivirus before running ComboFix.


If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 02 November 2007 - 10:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Gary's Girl

Gary's Girl
  • Topic Starter

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 03 November 2007 - 11:22 AM

SifuMike:

Hello, hope its a great day where you are!

Here's the Combofix log:

ComboFix 07-11-01.1 - SDW 2007-11-04 10:04:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.610 [GMT -6:00]
Running from: C:\Documents and Settings\SDW\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hosts

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-04 10:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 17:38 <DIR> d-------- C:\Program Files\CCleaner
2007-11-03 14:35 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-11-03 14:35 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-11-03 14:35 11,728 --a------ C:\WINDOWS\system32\SDEarlyDelete.exe
2007-11-03 14:02 123 --a------ C:\WINDOWS\system\SysSD.dll
2007-11-03 13:59 <DIR> d-------- C:\Program Files\SpywareDetector
2007-11-03 12:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-03 12:38 <DIR> d-------- C:\Documents and Settings\SDW\Application Data\PC Tools
2007-11-03 12:38 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-03 12:38 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-03 12:38 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-03 12:38 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-11-03 12:38 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-03 12:01 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-03 11:52 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-02 21:58 <DIR> d-------- C:\Program Files\Alawar
2007-11-02 21:54 <DIR> d-------- C:\Documents and Settings\SDW\Application Data\Sonic
2007-11-01 16:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 11:56 <DIR> d-------- C:\Program Files\e-Sword
2007-11-01 11:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-01 10:42 <DIR> d-------- C:\Program Files\Webroot
2007-11-01 10:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-01 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-01 10:42 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-01 10:42 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-01 10:42 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-01 10:42 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-01 10:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-01 10:38 <DIR> d-------- C:\Documents and Settings\SDW\Application Data\Webroot
2007-11-01 02:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 01:44 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-11-01 00:36 <DIR> d-------- C:\Program Files\PCPitstop
2007-11-01 00:08 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-31 23:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-31 16:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-31 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 16:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 14:33 <DIR> d-------- C:\Program Files\GameHouse
2007-10-30 14:30 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-10-30 14:25 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-30 14:25 <DIR> d-------- C:\Program Files\QuickTime
2007-10-30 14:14 <DIR> d-------- C:\Documents and Settings\SDW\Application Data\Apple Computer
2007-10-30 14:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-30 14:13 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-30 14:07 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-30 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-30 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-30 13:37 <DIR> d-------- C:\Documents and Settings\SDW\Application Data\AdobeUM
2007-10-30 10:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-30 10:08 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-30 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-30 08:39 <DIR> d-------- C:\Program Files\Java
2007-10-30 08:38 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-30 03:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-30 02:31 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-30 01:49 14,128 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2007-10-30 01:41 <DIR> d-------- C:\Program Files\Panda Security
2007-10-30 01:19 <DIR> d-------- C:\Program Files\Common Files\HP
2007-10-30 01:17 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-30 01:16 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-10-30 01:15 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-10-30 01:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-10-30 01:15 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-10-30 01:15 73,728 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-10-30 01:15 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-10-30 01:15 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-10-30 01:13 <DIR> d-------- C:\Program Files\HP
2007-10-30 01:10 68,886 --a------ C:\WINDOWS\hpoins05.dat
2007-10-30 01:10 19,696 --------- C:\WINDOWS\hpomdl05.dat
2007-10-30 01:09 <DIR> d-------- C:\temp
2007-10-30 00:22 <DIR> d-a------ C:\E-Sword Setup
2007-10-29 23:26 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-29 22:45 <DIR> d-------- C:\WINDOWS\Cache
2007-10-29 22:14 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-10-29 22:14 <DIR> d-------- C:\Program Files\Britannica 2005
2007-10-29 22:12 <DIR> d--h----- C:\Documents and Settings\SDW\InstallAnywhere
2007-10-29 22:03 30 --a------ C:\WINDOWS\INTURS.DAT
2007-10-29 21:56 1,039,360 --a------ C:\WINDOWS\system32\msjet35.dll
2007-10-29 21:56 251,664 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-10-29 21:56 37,136 --a------ C:\WINDOWS\system32\Msjint35.dll
2007-10-29 21:56 24,336 --a------ C:\WINDOWS\system32\msjter35.dll
2007-10-29 21:55 <DIR> d-------- C:\QUICKENW
2007-10-29 21:55 <DIR> d-------- C:\Program Files\Intuit
2007-10-29 21:51 <DIR> d-------- C:\JAYNA
2007-10-29 21:50 <DIR> d-------- C:\WINDOWS\LANGUAGE
2007-10-29 21:50 145,920 --a------ C:\WINDOWS\system32\ILIUNI32.DLL
2007-10-29 21:50 78,336 --a------ C:\WINDOWS\system32\ILI32.DLL
2007-10-29 21:50 49,152 --a------ C:\WINDOWS\system32\LANGMAN.EXE
2007-10-29 21:50 16,384 --a------ C:\WINDOWS\system32\ILI.EXE
2007-10-29 21:48 <DIR> d-------- C:\NavPress
2007-10-29 21:30 <DIR> d-------- C:\Program Files\Blues for Piano and Keyboard 10.0
2007-10-28 21:18 <DIR> d-------- C:\Program Files\Hear and Play Software
2007-10-28 21:08 <DIR> d-------- C:\Program Files\Pattern Piano and Keyboard Downloadable 2.0
2007-10-28 21:07 <DIR> d-------- C:\Program Files\PayPerView Lessons Modulation Tips and Tricks Vol 1
2007-10-28 21:05 <DIR> d-------- C:\Program Files\modulation1setup
2007-10-28 21:04 <DIR> d-------- C:\Program Files\Piano Lessons Unlimited
2007-10-28 19:08 <DIR> d-------- C:\Program Files\PlayPianoTODAY
2007-10-28 19:06 <DIR> d-------- C:\Program Files\PayPerView Lessons Intros Fillers and Turnarounds
2007-10-28 19:03 <DIR> d-------- C:\Program Files\WINv7xSetup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 03:17 81,836 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-30 21:40 --------- d-----w C:\Program Files\Notebook Maximizer
2007-10-30 19:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-30 04:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-29 03:11 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-28 18:58 --------- d-----w C:\Program Files\Intel
2007-10-28 18:47 --------- d-----w C:\Program Files\Sonic
2007-10-28 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-28 17:12 --------- d-----w C:\Program Files\Napster
2007-10-28 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-28 17:10 --------- d-----w C:\Program Files\Quicken
2007-10-28 17:05 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-28 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-28 11:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-28 11:03 --------- d-----w C:\Program Files\Google
2007-09-07 00:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-07 00:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 02:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 02:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 02:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 02:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 02:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 02:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 02:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 02:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 02:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 10:31]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 16:28]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 16:26]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-14 21:12]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-05 19:16]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 16:37 C:\WINDOWS\agrsmmsg.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 17:03]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 19:57]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 15:48]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 03:05]
"TPSMain"="TPSMain.exe" [2004-08-27 11:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 16:03]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 13:12]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 13:27]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 13:31]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 18:14]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-03 12:40]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-09-17 12:40]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-09-17 12:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 05:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 17:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 13:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-08-22 14:25 167936 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-30 20:07:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-04 15:32:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 10:05:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04 10:06:12
.
--- E O F ---


And here's the new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:09 AM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193721760345
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...152/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10595 bytes


Did you have any ideas about that blue screen thing I put in my last post? Also, has the Windows Error Reporting function gotten turned off somehow, do ya think? It didn't pop up after the last stop error.

A million happy thoughts coming your way for all your help!

Sharon

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 03 November 2007 - 12:27 PM

Hi HomesickInTexas,

Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Did you have any ideas about that blue screen thing I put in my last post?




Also, has the Windows Error Reporting function gotten turned off somehow, do ya think? It didn't pop up after the last stop error.



when I x-ed out of the program so I could reboot the system as you instructed, IMMEDIATELY got a blue screen STOP ERROR: BAD_POOL_CALLER. (Then of course - all the stuff about uninstalling new hardware/software), then STOP: 0x0000000C1 (0x00000007, 0x00000CD4, 0x0000000,OxE33227C8).
The physical memory dumped and I had to use the power button to turn off and reboot. I've gotten that blue screen several times but never have seen the 'BAD_POOL_CALLER' phrase.


We did not change anything with the Windows Error Reporting. We did remove some malware, so maybe it has nothing to report.

The HijackThis forum deals exclusively with virus and malware issues. I have a feeling that this is a driver, application or memory issue.

HijackThis does not have the capability to analyze performance, hardware or application issues.

For the type of issue(s) you describe I would suggest posting to the Windows XP Home and Professional forum. The techs in that forum specialize in matters pertaining to Windows XP issues. Let them know that you have been to this forum and that no malware was found.

When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.




Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Gary's Girl

Gary's Girl
  • Topic Starter

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 03 November 2007 - 01:33 PM

Oooops! I somehow messed up the ComboFix delete. When I typed in ComboFix /u - the black box came up and it looked as if it was going to run ComboFix again and I panicked and x-ed it out! Now when I type in ComboFix /u - it says "Windows cannot find ComboFix" - but there are still ComboFix files when I do an Explorer search. Can I fix it?

Thank you IMMENSELY!
Sharon

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 03 November 2007 - 01:39 PM

Hi Sharon,

Try installing ComobFix and then uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Gary's Girl

Gary's Girl
  • Topic Starter

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 03 November 2007 - 01:46 PM

Sorry to be so dense - do you mean download it again or run the Combofix.exe on my desktop. When I click the one on the desktop, it asks if I want to run it. Will that run the scan again or just install it - I can't remember and I wasn't sure if I should chance letting it run again without your instructions.

Thanks,
S.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 03 November 2007 - 01:52 PM

Hi Sharon,

do you mean download it again or run the Combofix.exe on my desktop. When I click the one on the desktop, it asks if I want to run it. Will that run the scan again or just install it - I can't remember and I wasn't sure if I should chance letting it run again without your instructions

.

Sorry, I was not clear in my instructions.

Delete the ComboFix on your desktop.

Then download and install ComobFix (see my previous post for the link).

After it is installed (do not run it), then to uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Gary's Girl

Gary's Girl
  • Topic Starter

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 03 November 2007 - 02:05 PM

So, so, sorry again. I deleted the Combofix from my desktop and downloaded Combofix.exe from your previous link to my desktop. However, when I click it a box comes up that asks if I want to run it? If I click run after clicking Combofix.exe on the desktop, won't the program run again? There doesn't seem to be an install - - there's an .exe on the desktop - doesn't an .exe run the program? Sorry, I just want to make sure I've understood - you said don't run it again.

Thanks again,
S.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:42 AM

Posted 03 November 2007 - 02:12 PM

My mistake. :thumbsup: Run ComboFix and that will install the program.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Gary's Girl

Gary's Girl
  • Topic Starter

  • Members
  • 343 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky
  • Local time:05:42 AM

Posted 03 November 2007 - 02:28 PM

Done! Again, SifuMike - can't thank you enough for your help! I will read the material you suggested and post my software questions in the other forum. You are appreciated more than you could possibly know!

Until we meet again,
Sharon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users