Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Troj_agent.dlm, Troj_bzub.fb


  • Please log in to reply
8 replies to this topic

#1 chocolate_bar85

chocolate_bar85

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 21 February 2008 - 07:42 AM

Hi. Like everyone else I can't get rid of these damn viruses.
Trend micro PC-Cillin keeps detecting these viruses and blocking their action, but the continual popups are annoying. Also it appears that internet explorer has been somehow prevented from accessing ANY website at all. I have tried deleting the affected files (C/windows/system32/appcert/wsil32.dll, C/windows/system32/dfrgsnaps.dll) but it tells me "denied access".
I have done all the procedures described in the "preparation to post a log" page, so here is the log. I wouold really appreciate the help.
Thanks in advance. David

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:30, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David Bartholomeusz\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {95C22C7B-68E2-4111-BF3E-D1ECBAA46931} - C:\WINDOWS\system32\dfrgsnaps.dll
O2 - BHO: (no name) - {C338BFCE-E106-45A4-88F6-DC4A7F2B7CF5} - c:\windows\system32\audiodevk.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [etgtizd6] C:\WINDOWS\system32\etgtizd6.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [etgtizd6] C:\WINDOWS\system32\etgtizd6.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148653068804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148653556878
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CC01749-0897-4654-82DC-DA74659C8D98}: NameServer = 203.49.70.20 139.134.2.190
O20 - Winlogon Notify: lyskmehf - audiodevk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11239 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 February 2008 - 08:10 AM

Hi chocolate_bar85 and Welcome to the Bleeping Computer! :thumbsup:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


#3 chocolate_bar85

chocolate_bar85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 24 February 2008 - 05:35 AM

here is the copies of main.txt and extra.txt as requested. Hope this helps.

David
Main.txt
Deckard's System Scanner v20071014.68
Run by David Bartholomeusz on 2008-02-24 20:05:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-02-24 10:06:09 UTC - RP41 - Deckard's System Scanner Restore Point
38: 2008-02-24 00:47:21 UTC - RP40 - System Checkpoint
37: 2008-02-22 12:56:51 UTC - RP39 - System Checkpoint
36: 2008-02-20 09:43:20 UTC - RP38 - System Checkpoint
35: 2008-02-19 06:49:21 UTC - RP37 - System Checkpoint


-- First Restore Point --
1: 2008-01-16 08:24:51 UTC - RP3 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as David Bartholomeusz.exe) ---------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-24 20:11:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\BRSVC01A.EXE
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security 2006\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TME3\tmesbs32.exe
C:\Program Files\Toshiba\TME3\TMESRV31.exe
C:\Program Files\Trend Micro\Internet Security 2006\Tmntsrv.exe
C:\Program Files\Toshiba\TME3\TMEEJME.exe
C:\Program Files\Trend Micro\Internet Security 2006\tmproxy.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\TME3\TMERzCtl.exe
C:\Program Files\Toshiba\TME3\tmesbs32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\agrsmmsg.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Toshiba\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MaAgent.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David Bartholomeusz\My Documents\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {95C22C7B-68E2-4111-BF3E-D1ECBAA46931} - C:\WINDOWS\system32\dfrgsnaps.dll
O2 - BHO: (no name) - {C338BFCE-E106-45A4-88F6-DC4A7F2B7CF5} - c:\windows\system32\audiodevk.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - ID - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [etgtizd6] C:\WINDOWS\system32\etgtizd6.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [etgtizd6] C:\WINDOWS\system32\etgtizd6.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148653068804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148653556878
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: lyskmehf - C:\WINDOWS\system32\audiodevk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\BRSVC01A.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 2006\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\Toshiba\TME3\tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\Toshiba\TME3\TMESRV31.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 2006\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2006\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2006\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 11979 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 okxmlkam - c:\windows\system32\drivers\sblvyzth.dat
R0 TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalz.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Common Modules>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsubleepa Electric Industrial Co.,Ltd.; >
R1 TMEI3E - c:\windows\system32\drivers\tmei3e.sys <Not Verified; Toshiba Corporation; Toshiba Mobile Extension>
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>
R3 moufiltr (Office Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Chic Tech.; Chic Tech.>
R3 TEchoCan (Toshiba Audio Effect) - c:\windows\system32\drivers\techocan.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Audio Effect>

S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsubleepa Electric Industrial Co., Ltd.; >
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 Tmesbs (Tmesbs32) - "c:\program files\toshiba\tme3\tmesbs32.exe" /service <Not Verified; TOSHIBA Corporation; TOSHIBA Mobile Extension Slim Select Bay Service>
R2 Tmesrv (Tmesrv3) - "c:\program files\toshiba\tme3\tmesrv31.exe" /service <Not Verified; TOSHIBA; TOSHIBA MobileExtension Service>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>

S2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 2.0>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-24 13:19:55 438 --a------ C:\WINDOWS\Tasks\At1.job
2006-03-30 08:09:27 440 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-01-24 and 2008-02-24 -----------------------------

2008-02-19 10:00:29 718880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-19 09:57:46 0 d-------- C:\Program Files\ZoneAlarmSB
2008-02-19 09:55:09 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-19 09:54:43 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-19 09:54:30 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-02-19 09:53:32 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-19 09:46:47 0 d-------- C:\WINDOWS\Internet Logs
2008-02-17 00:01:38 0 d-------- C:\Documents and Settings\David Bartholomeusz\.housecall6.6
2008-02-16 21:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 01:03:28 0 d-------- C:\Program Files\Lavasoft
2008-02-15 01:03:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 12:13:57 0 d-------- C:\Documents and Settings\emily\Application Data\Apple Computer
2008-01-31 22:06:09 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-01-25 19:03:03 0 d-------- C:\Documents and Settings\emily\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-02-21 22:01:33 0 d-------- C:\Documents and Settings\David Bartholomeusz\Application Data\AdobeUM
2008-02-15 01:01:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 17:35:47 36608 --a------ C:\WINDOWS\system32\vopwybrc.dat
2007-12-29 22:36:51 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-29 22:36:51 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-29 22:36:51 35072 --a------ C:\WINDOWS\system32\jotohjqc.dat
2007-12-29 22:36:51 741632 --a------ C:\WINDOWS\system32\dxjcyykb.dat
2007-12-29 22:36:50 42240 --a------ C:\WINDOWS\system32\lkvnbqss.dat
2007-12-28 22:31:47 120576 --a------ C:\WINDOWS\system32\iiwtaboh.dat
2007-12-25 00:05:03 0 d-------- C:\Program Files\MSN Messenger


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95C22C7B-68E2-4111-BF3E-D1ECBAA46931}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C338BFCE-E106-45A4-88F6-DC4A7F2B7CF5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-19 09:57 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-19 09:57 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-29 10:24]
"000StTHK"="000StTHK.exe" [2001-06-24 13:28 C:\WINDOWS\system32\000StTHK.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2004-03-26 08:36]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2004-05-27 06:04]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-02 07:56]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-12-10 07:50]
"nwiz"="nwiz.exe" [2003-12-10 07:50 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="C:\WINDOWS\system32\nvsysrot.dll" [2003-12-10 07:50]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-10 08:07]
"TFNF5"="TFNF5.exe" [2003-11-17 20:42 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-03 06:45]
"TPSMain"="TPSMain.exe" [2004-06-02 13:43 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" []
"NDSTray.exe"="NDSTray.exe" []
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29]
"Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [2003-08-09 11:54]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 17:00 C:\WINDOWS\agrsmmsg.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-02 03:52]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-07 01:27]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-11-12 13:19]
"TAudEffect"="C:\Program Files\Toshiba\TAudEffect\TAudEff.exe" [2003-12-26 09:17]
"McDiags AutoLaunch"="" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 19:11]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36]
"etgtizd6"="C:\WINDOWS\system32\etgtizd6.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 20:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 20:43]
"etgtizd6"="C:\WINDOWS\system32\etgtizd6.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-20 07:25:16]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lyskmehf]
audiodevk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
txocjosu


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee6500-b626-11db-a7fd-000e7bba7e1a}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1600MHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 1023.3 MiB / 463.55 MiB
Pagefile Memory (total/avail): 1693.74 MiB / 1224.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.75 MiB

C: is Fixed (NTFS) - 55.89 GiB total, 29.68 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2060AH - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.89 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.) Disabled
FW: Trend Micro PC-cillin Internet Security (Firewall) v14 (Trend Micro, Inc.) Disabled
AV: Trend Micro PC-cillin Internet Security 2006 v14.10.1041 (Trend Micro, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Toshiba\\IPPhone\\IPPhone.exe"="C:\\Program Files\\Toshiba\\IPPhone\\IPPhone.exe:*:Enabled:IPPhone"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\David Bartholomeusz\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WK_LAPTOP1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\David Bartholomeusz
LOGONSERVER=\\WK_LAPTOP1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DAVIDB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DAVIDB~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=WK_LAPTOP1
USERNAME=David Bartholomeusz
USERPROFILE=C:\Documents and Settings\David Bartholomeusz
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

David Bartholomeusz (admin)
Kelly Manchee
emily
Administrator (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Baldur's Gate --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Black Isle\Baldur's Gate\Uninst.isu"
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Brother HL-1430 --> "C:\Program Files\Brother\BRHL1430\IsUninst.exe" -f"C:\Program Files\Brother\BRHL1430\DeIsL1.isu" -cbruninst.dll
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon iP1600 --> C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44E24545-F317-4498-B7CD-240DE7BA8DE2}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\WINDOWS\BJPSUNST.EXE
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\SETUP.EXE" -l0x9
Drag'n Drop CD+DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDC146FA-73E0-4FA1-A353-841EA14BF600}\Setup.exe" -l0x9 deleteall
Dungeon Lords --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F41D7749-D973-42E7-BD80-64309766C39E}\setup.exe" -l0x9 -removeonly
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
HijackThis 2.0.2 --> "C:\Documents and Settings\David Bartholomeusz\Desktop\HijackThis.exe" /uninstall
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Lame ACM MP3 Codec --> "C:\WINDOWS\IFinst26.exe" -UC:\Program Files\Lame MP3 Codec\IFU46.inf
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech Gaming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C1DA723-24FC-48AD-93BA-925695C3EF26}\setup.exe" -l0x9 -removeonly
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NetObjects Fusion 8 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7567767-C347-4231-8F71-DDB54DDE340D}\setup.exe" -l0x9 anything -uninst
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nvts.inf
OLYMPUS Master 2 --> MsiExec.exe /X{CB49B376-1136-44B4-83FA-036334B59937}
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Samsung Media Studio --> C:\Program Files\InstallShield Installation Information\{C20CE592-B0F8-4D20-BF31-0151CA6331A6}\Setup.exe -runfromtemp -l0x0009 -removeonly
SD Secure Module --> MsiExec.exe /X{C45F4811-31D5-4786-801D-F79CD06EDD85}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Telstra ISDN Setup Program --> C:\Program Files\Telstra ISDN\uninstaller.exe
The Bard's Tale Demo --> MsiExec.exe /X{4A635D30-C60B-423C-9A99-60655AE1878B}
TOSHIBA Audio Effect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC99D835-CA4A-4E58-82F6-31D0ACF0CACA}\Setup.exe" /T24C50246
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Display Devices Change Utility --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TDspBtn.inf,DefaultUninstall,5
TOSHIBA Dual Pointing Device Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4701BF4D-9DBD-4F3B-953A-AFC3316E821B}\Setup.exe"
TOSHIBA Hotkey Utility for Display Devices --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5Wxp.inf,DefaultUninstall,5
TOSHIBA IPPhone --> MsiExec.exe /X{D177BD9B-9B11-4E28-8584-E0F93BB33F5B}
TOSHIBA Mobile Extension3 for Windows XP V3.65.00.XP --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME3\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME3\uninstx.dll"
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
TOSHIBA SD Memory Boot Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F816A1EB-392D-459C-A5A2-8C8B9CD75446}\Setup.exe"
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Utilities --> tutildel.exe
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\Setup.exe"
Trend Micro PC-cillin Internet Security 2006 --> MsiExec.exe /X{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Wireless Hotkey --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7862BAD8-A379-4128-8AA1-EFD5A9603C53}\Setup.exe"
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type21530 / Warning
Event Submitted/Written: 02/24/2008 02:18:00 PM
Event ID/Source: 19011 / MSSQLServer
Event Description:
SuperSocket info: (SpnRegister) : Error 1355.

Event Record #/Type21519 / Error
Event Submitted/Written: 02/24/2008 01:21:24 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application maagent.exe, version 3.1.2004.1122, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [maagent.exe!ws!]

Event Record #/Type21516 / Warning
Event Submitted/Written: 02/24/2008 01:20:41 PM
Event ID/Source: 19011 / MSSQLServer
Event Description:
SuperSocket info: (SpnRegister) : Error 1355.

Event Record #/Type21502 / Error
Event Submitted/Written: 02/24/2008 00:41:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application maagent.exe, version 3.1.2004.1122, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [maagent.exe!ws!]

Event Record #/Type21499 / Warning
Event Submitted/Written: 02/24/2008 09:03:16 AM
Event ID/Source: 19011 / MSSQLServer
Event Description:
SuperSocket info: (SpnRegister) : Error 1355.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type46652 / Error
Event Submitted/Written: 02/24/2008 08:12:10 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type46625 / Error
Event Submitted/Written: 02/24/2008 02:18:02 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Volume Manager Controller service terminated with the following error:
%%126

Event Record #/Type46598 / Error
Event Submitted/Written: 02/24/2008 01:20:20 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Volume Manager Controller service terminated with the following error:
%%126

Event Record #/Type46557 / Error
Event Submitted/Written: 02/24/2008 09:03:07 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Volume Manager Controller service terminated with the following error:
%%126

Event Record #/Type46553 / Error
Event Submitted/Written: 02/23/2008 09:12:18 PM
Event ID/Source: 11 / Cdrom
Event Description:
The driver detected a controller error on \Device\CdRom0.



-- End of Deckard's System Scanner: finished at 2008-02-24 20:14:52 ------------

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 February 2008 - 02:02 PM

OK,we need more strength here,gotta get another tool to your machine and let it do its work then see what we have left to remove.

If you will,go to UploadMalware and upload the file indicated below.

C:\WINDOWS\system32\etgtizd6.exe


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5 chocolate_bar85

chocolate_bar85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 25 February 2008 - 06:44 AM

Tried to upload the file etgtizd6.exe but could not find it on my computer anywhere.

here is the logfile from combofix and the latest hijackthis file.

Thank you for your assistance. The virus especially troj_agent is still doing fine!

ComboFix 08-02-25.2 - David Bartholomeusz 2008-02-25 21:07:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.560 [GMT 10:00]
Running from: C:\Documents and Settings\David Bartholomeusz\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 20:05 . 2008-02-24 20:05 <DIR> d-------- C:\Deckard
2008-02-19 10:00 . 2008-02-25 21:08 948,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-19 10:00 . 2008-02-25 20:35 11,876 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-19 09:57 . 2008-02-19 09:57 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-19 09:55 . 2008-02-19 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-19 09:54 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-19 09:54 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-19 09:54 . 2008-02-19 09:57 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-19 09:53 . 2008-02-19 09:53 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-19 09:46 . 2008-02-25 20:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-17 00:01 . 2008-02-17 02:15 <DIR> d-------- C:\Documents and Settings\David Bartholomeusz\.housecall6.6
2008-02-16 21:51 . 2008-02-16 21:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 21:51 . 2008-02-16 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 01:03 . 2008-02-15 01:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 01:03 . 2008-02-15 01:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 12:13 . 2008-02-09 12:13 <DIR> d-------- C:\Documents and Settings\emily\Application Data\Apple Computer
2008-02-05 00:00 . 2008-02-14 17:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 00:00 . 2008-02-05 00:00 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 10:50 1,972,224 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-22 10:51 1,371,136 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-21 12:01 --------- d-----w C:\Documents and Settings\David Bartholomeusz\Application Data\AdobeUM
2008-02-14 15:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-29 12:36 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-12-29 12:36 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-12-14 01:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-19 09:57 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-19 09:57 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-12-10 07:50 856135 C:\WINDOWS\system32\nview.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 20:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 20:43 95800]
"etgtizd6"="C:\WINDOWS\system32\etgtizd6.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-29 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2004-03-26 08:36 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2004-05-27 06:04 77824]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-02 07:56 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-12-10 07:50 4866048]
"nwiz"="nwiz.exe" [2003-12-10 07:50 323584 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="C:\WINDOWS\system32\nvsysrot.dll" [2003-12-10 07:50 49152]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46 192512]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-10 08:07 49152]
"TFNF5"="TFNF5.exe" [2003-11-17 20:42 73728 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-03 06:45 135168]
"TPSMain"="TPSMain.exe" [2004-06-02 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" []
"NDSTray.exe"="NDSTray.exe" []
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [2003-08-09 11:54 1175552]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 17:00 88363 C:\WINDOWS\agrsmmsg.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-02 03:52 1368064]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-07 01:27 860160]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-11-12 13:19 159744]
"TAudEffect"="C:\Program Files\Toshiba\TAudEffect\TAudEff.exe" [2003-12-26 09:17 208972]
"McDiags AutoLaunch"="" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30 897089]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 19:11 188416]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"etgtizd6"="C:\WINDOWS\system32\etgtizd6.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-20 07:25:16 155648]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Toshiba\\IPPhone\\IPPhone.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-17 04:08]
R2 Tmesbs;Tmesbs32;"C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" [2003-08-02 07:56]
R3 moufiltr;Office Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-04-06 11:27]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-01-10 12:26]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-18 08:18]

.
Contents of the 'Scheduled Tasks' folder
"2006-03-29 22:09:27 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 21:09:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 21:10:30
ComboFix-quarantined-files.txt 2008-02-25 11:10:26
ComboFix2.txt 2008-02-25 10:55:35
.
2008-02-14 11:57:48 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:22 PM, on 25/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\David Bartholomeusz\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [etgtizd6] C:\WINDOWS\system32\etgtizd6.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [etgtizd6] C:\WINDOWS\system32\etgtizd6.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148653068804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148653556878
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10303 bytes

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 February 2008 - 07:37 AM

Tell me about this computer please.

Is it a basic home pc or is it more like one thats used for buisness or program development.

There is an entry I believe just has no place on the computer what so ever and I have looked at 4 different XP setups here and cant find any references to the entry anywhere.

Also,tell me what you see in this folder---> C:\WINDOWS\system32\AppCert

Too bad I can find the material where I analyzed this infection but I know that folder doesnt belong and Im sure the entry in the reg doesnt belong either but Im an overly paranoid person and just want to be sure of what im doing.

So if I ask you to do this,it buys me some more time to research this infection again :thumbsup:

#7 chocolate_bar85

chocolate_bar85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 28 February 2008 - 07:14 AM

Hi

The computer is a home computer with internet access by both parents and the kids. I believe both kids have spent time on peer to peer networks like facebook and music sites and that may be the source of the infection/s.

My understanding is that the "troj_agent" virus creates the folder "windows/system32/appcert", and then puts in there the wsil32.dll file that my pccillin keeps blocking over and over again. I have tried to delete that file and also the folder from safemode and from the dos prompt with no success. It keeps saying "can't access this file". I have thought about using a boot disc of linux (one of the aussie computer magazines has created an operating system that can be contained and run from the disc which may allow me to delete these files, as it won't involve windows at all. But that is a last resort.

The folder "appCert" contains the following files: filter.drv hb13a.dll prx97w.dll wsil32.dll

Thanks for your help

David

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 March 2008 - 04:10 AM

Copy the text below to notepad and save it to the desktop with the name CFScript

KILLALL::

Folder::
C:\windows\System32\AppCert

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppCert]
"Path"=-
"CurrentState"="stop"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls]
"AppSecDll"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppSecDll"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"etgtizd6"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"etgtizd6"=-

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

#9 chocolate_bar85

chocolate_bar85
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 02 March 2008 - 12:06 AM

Hi Cretemonster

Have run that script and the two logs are below. Looks like you may have got it. :thumbsup: Thank you very much for the help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:01 PM, on 2/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David Bartholomeusz\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148653068804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148653556878
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10450 bytes


ComboFix 08-02-25.2 - David Bartholomeusz 2008-03-02 14:31:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.691 [GMT 10:00]
Running from: C:\Documents and Settings\David Bartholomeusz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Bartholomeusz\Desktop\CFScript..txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\System32\AppCert
C:\windows\System32\AppCert\filter.drv
C:\windows\System32\AppCert\hb13a.dll
C:\windows\System32\AppCert\prx97w.dll
C:\windows\System32\AppCert\wsil32.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-02-24 20:05 . 2008-02-24 20:05 <DIR> d-------- C:\Deckard
2008-02-19 10:00 . 2008-03-02 14:40 2,271,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-19 10:00 . 2008-03-02 14:36 27,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-19 09:57 . 2008-02-19 09:57 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-19 09:55 . 2008-02-19 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-19 09:54 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-19 09:54 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-19 09:54 . 2008-02-19 09:57 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-19 09:53 . 2008-02-19 09:53 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-19 09:46 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-17 00:01 . 2008-02-17 02:15 <DIR> d-------- C:\Documents and Settings\David Bartholomeusz\.housecall6.6
2008-02-16 21:51 . 2008-02-16 21:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 21:51 . 2008-02-16 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 01:03 . 2008-02-15 01:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 01:03 . 2008-02-15 01:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 12:13 . 2008-02-09 12:13 <DIR> d-------- C:\Documents and Settings\emily\Application Data\Apple Computer
2008-02-05 00:00 . 2008-02-14 17:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 00:00 . 2008-02-05 00:00 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 12:01 --------- d-----w C:\Documents and Settings\David Bartholomeusz\Application Data\AdobeUM
2008-02-14 15:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-19 09:57 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-19 09:57 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-12-10 07:50 856135 C:\WINDOWS\system32\nview.dll]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 20:24 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 20:43 95800]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-06-29 10:24 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2004-03-26 08:36 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2004-05-27 06:04 77824]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-02 07:56 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-12-10 07:50 4866048]
"nwiz"="nwiz.exe" [2003-12-10 07:50 323584 C:\WINDOWS\system32\nwiz.exe]
"NVRotateSysTray"="C:\WINDOWS\system32\nvsysrot.dll" [2003-12-10 07:50 49152]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 17:46 192512]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-10 08:07 49152]
"TFNF5"="TFNF5.exe" [2003-11-17 20:42 73728 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-03 06:45 135168]
"TPSMain"="TPSMain.exe" [2004-06-02 13:43 278528 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" []
"NDSTray.exe"="NDSTray.exe" []
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [2003-08-09 11:54 1175552]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 17:00 88363 C:\WINDOWS\agrsmmsg.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-02 03:52 1368064]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-07 01:27 860160]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2003-11-12 13:19 159744]
"TAudEffect"="C:\Program Files\Toshiba\TAudEffect\TAudEff.exe" [2003-12-26 09:17 208972]
"McDiags AutoLaunch"="" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30 897089]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 19:11 188416]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 16:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 20:36 57344]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-20 07:25:16 155648]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Toshiba\\IPPhone\\IPPhone.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-17 04:08]
R2 Tmesbs;Tmesbs32;"C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" [2003-08-02 07:56]
R3 moufiltr;Office Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-04-06 11:27]
R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-01-10 12:26]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-18 08:18]

.
Contents of the 'Scheduled Tasks' folder
"2006-03-29 22:09:27 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 14:40:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-02 14:46:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-02 04:46:34
ComboFix2.txt 2008-02-25 11:10:30
ComboFix3.txt 2008-02-25 10:55:35
.
2008-02-14 11:57:48 --- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users