Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop "disapears"


  • This topic is locked This topic is locked
10 replies to this topic

#1 br0ke

br0ke

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 15 March 2008 - 03:23 PM

Hi Everyone

I almost always simply reformat my pc but decided I had it. I've done that about 2 or 3 times the past 4 years on my current setup but am humbling asking for anyones advice. I used AVG/ Ad Aware/ SpyBot/ McAfee Stinger/ CCleaner and lastly HiJackThis.

My Explorer just cuts out from time to time (Blank Desktop). Cmd.exe popped up though it might be seemingly harmless and Pop Ups come up in a new tabbed window within Firefox sometimes and during application startup.



To anyone who has an answer, here is what came up:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:12 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\tjqwtshi.dll",b
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\pboquaxl.dll",s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 5144 bytes



I'm totally stumped but I sincerely thank you in advance. If not I suppose it's back to the "great wipe", again. :thumbsup:

BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 15 March 2008 - 08:59 PM

Hi, Welcome to Bleeping Computer Forums!

My name is Renato Mejias, and I will help you to solve your problems :thumbsup:.

You might want to save this page on your favorites, so you can find it again when you return.

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 br0ke

br0ke
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 15 March 2008 - 11:06 PM

Hello Renato

Thanks I've bookmarked said link. Hope to hear from you or anyone who may assisst me soon. :thumbsup:

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 16 March 2008 - 11:51 AM

Hi :thumbsup:


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 br0ke

br0ke
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 16 March 2008 - 02:50 PM

ComboFix 08-03-14.4 - User 2008-03-16 12:39:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.769 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\FD3085BE3A.dll
C:\WINDOWS\system32\fiqidpwg.dll
C:\WINDOWS\system32\hnibqthu.dll
C:\WINDOWS\system32\khvvddjj.dll
C:\WINDOWS\system32\mnmoq.ini
C:\WINDOWS\system32\mnmoq.ini2
C:\WINDOWS\system32\mpoqr.ini
C:\WINDOWS\system32\mpoqr.ini2
C:\WINDOWS\system32\pboquaxl.dll
C:\WINDOWS\system32\tuvsrsp.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-15 13:06 . 2008-03-15 13:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 11:17 . 2008-03-16 12:35 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVG7
2008-03-15 11:15 . 2008-03-15 11:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 11:14 . 2008-03-15 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-15 11:14 . 2008-03-15 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 11:01 . 2008-03-15 11:01 <DIR> d-------- C:\Program Files\CCleaner
2008-03-15 06:47 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-15 06:46 . 2008-03-15 06:47 <DIR> d-------- C:\Program Files\Java
2008-03-15 06:46 . 2008-03-15 06:46 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-15 06:43 . 2008-03-15 06:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-03-14 20:42 . 2008-03-15 10:47 1,366,863 --ahs---- C:\WINDOWS\system32\ihstwqjt.ini
2008-03-13 20:36 . 2008-03-13 20:37 1,320,215 --ahs---- C:\WINDOWS\system32\ajwvbpwo.ini
2008-03-13 13:20 . 2008-03-13 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-03-12 20:36 . 2008-03-13 20:37 1,346,630 --ahs---- C:\WINDOWS\system32\fwwonmrr.ini
2008-03-10 19:13 . 2008-03-10 19:13 <DIR> d-------- C:\Program Files\foobar2000
2008-03-10 19:13 . 2008-03-15 02:58 <DIR> d-------- C:\Documents and Settings\User\Application Data\foobar2000
2008-03-06 23:51 . 2008-03-06 23:51 <DIR> d-------- C:\Documents and Settings\User\.assistant
2008-03-01 09:10 . 2008-03-01 09:10 <DIR> d-------- C:\Program Files\Visualization Software
2008-03-01 08:57 . 2008-03-12 20:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-02-19 04:38 . 2008-02-19 04:38 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 19:43 --------- d-----w C:\Documents and Settings\User\Application Data\WTablet
2008-03-16 19:29 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-16 19:16 --------- d-----w C:\Program Files\Soulseek
2008-03-16 07:39 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-03-11 12:01 --------- d-----w C:\Program Files\Webteh
2008-02-27 00:37 --------- d-----w C:\Program Files\Opera
2008-02-14 00:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 06:17 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-06 06:59 --------- d-----w C:\Program Files\Feurio
2008-02-06 06:49 --------- d-----w C:\Documents and Settings\User\Application Data\Sony
2008-02-06 06:49 --------- d-----w C:\Documents and Settings\User\Application Data\Publish Providers
2008-02-06 06:47 --------- d-----w C:\Program Files\Vstplugins
2008-02-06 06:47 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-06 06:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-02-06 06:46 --------- d-----w C:\Program Files\Sony
2008-02-06 06:45 --------- d-----w C:\Program Files\Sony Setup
2008-01-30 20:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 20:34 --------- d-----w C:\Program Files\Toshiba
2008-01-26 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-22 22:50 --------- d-----w C:\Program Files\Kodak
2008-01-18 22:43 --------- d-----w C:\Documents and Settings\User\Application Data\Apple Computer
2008-01-17 09:05 --------- d-----w C:\Program Files\Burrrn
2008-01-17 04:48 --------- d-----w C:\Program Files\Airfoil
2008-01-16 02:39 --------- d-----w C:\Program Files\QuickTime
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82C0B30E-FE00-4041-8F24-B3BE51F47BC4}]
C:\WINDOWS\system32\qomnm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9D83155-F2F6-4573-8552-017592A05A98}]
C:\WINDOWS\system32\rqopm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc02671c-22a2-4810-9466-6b77188b29ee}]
C:\WINDOWS\system32\tsjfbtgr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34 128000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21 270336]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-05 18:18 185896]
"b4bda793"="C:\WINDOWS\system32\tjqwtshi.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-15 11:30 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-15 11:14 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrsp]
tuvsrsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-12-21 10:10 88358 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-03-23 22:40 196608 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-04-28 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
--a------ 2004-04-26 17:21 270336 C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
--a------ 2005-04-28 20:08 675840 C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
--a------ 2005-01-19 17:34 128000 C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-01-14 02:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpppta]
--a------ 2000-06-02 03:50 86016 C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a------ 2004-12-23 18:07 28672 C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-09-05 19:16 184320 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2005-09-25 20:11 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-09-07 14:03 1077301 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 16:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-15 16:51 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
--a------ 2004-05-01 13:48 65536 C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 00:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Accessibility]
--a------ 2005-03-28 13:19 24576 C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
--a------ 2004-11-29 21:06 53248 C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a------ 2005-04-05 16:25 73728 C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]
--a------ 2004-05-01 13:49 24576 C:\WINDOWS\system32\ZoomingHook.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 TabletServicePen;TabletServicePen;C:\WINDOWS\system32\Pen_Tablet.exe [2007-09-07 12:16]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 12:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 11:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 17:11]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 12:43:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-03-16 12:45:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 19:45:19
.
2008-03-11 23:19:29 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:51 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {82C0B30E-FE00-4041-8F24-B3BE51F47BC4} - C:\WINDOWS\system32\qomnm.dll (file missing)
O2 - BHO: (no name) - {D9D83155-F2F6-4573-8552-017592A05A98} - C:\WINDOWS\system32\rqopm.dll (file missing)
O2 - BHO: {ee92b881-77b6-6649-0184-2a22c17620cd} - {dc02671c-22a2-4810-9466-6b77188b29ee} - C:\WINDOWS\system32\tsjfbtgr.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\tjqwtshi.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - Winlogon Notify: tuvsrsp - tuvsrsp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 5906 bytes





The explorer.exe has been flickering off more and more while I'm doing graphic work on my computer. I'm on the brink of just simply backing up my files and reformating as it's hindering my work. I forgot to mention my laptop hibernated twice a good week or so ago randomly.

Also I deleted a much needed .dll file thanks to AVG (and my naiveness.) Apparently it's a much needed module for my computer which has me even more inclined to simply reformat. I just stopped some infected process AVG update detected earlier; it found a trojan horse -- after "healing" the trojan my the system needed to reboot and afterwords an explorer icon was found on the desktop as well as outlook express on the start menu. Don't know if this is bad or not just some more info.


I'm thinking of uninstalling AVG. Any advice at this point is welcomed and very much appreciated.


Thanks everyone. :thumbsup:

Edited by br0ke, 16 March 2008 - 02:55 PM.


#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 18 March 2008 - 08:46 PM

it found a trojan horse -- after "healing" the trojan my the system needed to reboot and afterwords an explorer icon was found on the desktop as well as outlook express on the start menu. Don't know if this is bad or not just some more info.


Don't worry about this, it happens because we have a DLL in the startup, we'll fix it asap.

Another thing that we had to know is ComboFix that placed Internet Explorer icon on desktop and Outlook Express icon in your start menu.
One of the things ComboFix does is reset most Internet Explorer settings to default.

I'm thinking of uninstalling AVG.

Wait we finish here, after it you can uninstall AVG and reinstall other antivirus :thumbsup:.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\ihstwqjt.ini
C:\WINDOWS\system32\ajwvbpwo.ini
C:\WINDOWS\system32\fwwonmrr.ini
C:\WINDOWS\system32\qomnm.dll
C:\WINDOWS\system32\tsjfbtgr.dll
C:\WINDOWS\system32\rqopm.dll

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82C0B30E-FE00-4041-8F24-B3BE51F47BC4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9D83155-F2F6-4573-8552-017592A05A98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc02671c-22a2-4810-9466-6b77188b29ee}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b4bda793"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrsp]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 br0ke

br0ke
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 19 March 2008 - 05:00 AM

Renato you're amazing!

The combofix seemed to do the trick. Here's the log:

ComboFix 08-03-14.4 - User 2008-03-19 2:15:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.708 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ajwvbpwo.ini
C:\WINDOWS\system32\fwwonmrr.ini
C:\WINDOWS\system32\ihstwqjt.ini
C:\WINDOWS\system32\qomnm.dll
C:\WINDOWS\system32\rqopm.dll
C:\WINDOWS\system32\tsjfbtgr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ajwvbpwo.ini
C:\WINDOWS\system32\fwwonmrr.ini
C:\WINDOWS\system32\ihstwqjt.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-19 01:01 . 2008-03-19 01:01 <DIR> d-------- C:\WINDOWS\Sun
2008-03-15 13:06 . 2008-03-15 13:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 11:17 . 2008-03-17 22:38 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVG7
2008-03-15 11:15 . 2008-03-15 11:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 11:14 . 2008-03-15 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-15 11:14 . 2008-03-15 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 11:01 . 2008-03-15 11:01 <DIR> d-------- C:\Program Files\CCleaner
2008-03-15 06:47 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-15 06:46 . 2008-03-15 06:47 <DIR> d-------- C:\Program Files\Java
2008-03-15 06:46 . 2008-03-15 06:46 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-15 06:43 . 2008-03-15 06:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2008-03-13 13:20 . 2008-03-13 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-03-10 19:13 . 2008-03-10 19:13 <DIR> d-------- C:\Program Files\foobar2000
2008-03-10 19:13 . 2008-03-17 18:55 <DIR> d-------- C:\Documents and Settings\User\Application Data\foobar2000
2008-03-06 23:51 . 2008-03-06 23:51 <DIR> d-------- C:\Documents and Settings\User\.assistant
2008-03-01 09:10 . 2008-03-01 09:10 <DIR> d-------- C:\Program Files\Visualization Software
2008-03-01 08:57 . 2008-03-17 07:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-02-19 04:38 . 2008-03-18 04:56 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:16 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-19 09:09 --------- d-----w C:\Program Files\Soulseek
2008-03-18 12:31 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-03-17 15:27 --------- d-----w C:\Program Files\Webteh
2008-03-17 14:43 --------- d-----w C:\Documents and Settings\User\Application Data\WTablet
2008-02-27 00:37 --------- d-----w C:\Program Files\Opera
2008-02-14 00:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 06:17 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-06 06:59 --------- d-----w C:\Program Files\Feurio
2008-02-06 06:49 --------- d-----w C:\Documents and Settings\User\Application Data\Sony
2008-02-06 06:49 --------- d-----w C:\Documents and Settings\User\Application Data\Publish Providers
2008-02-06 06:47 --------- d-----w C:\Program Files\Vstplugins
2008-02-06 06:47 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-06 06:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-02-06 06:46 --------- d-----w C:\Program Files\Sony
2008-02-06 06:45 --------- d-----w C:\Program Files\Sony Setup
2008-01-30 20:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 20:34 --------- d-----w C:\Program Files\Toshiba
2008-01-26 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-22 22:50 --------- d-----w C:\Program Files\Kodak
2008-01-11 19:25 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-06 01:18 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-06 01:18 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-26 04:20 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-12-26 04:20 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34 128000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21 270336]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-05 18:18 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-15 11:30 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-15 11:14 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-12-21 10:10 88358 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-03-23 22:40 196608 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-04-28 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
--a------ 2004-04-26 17:21 270336 C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
--a------ 2005-04-28 20:08 675840 C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
--a------ 2005-01-19 17:34 128000 C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-01-14 02:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpppta]
--a------ 2000-06-02 03:50 86016 C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a------ 2004-12-23 18:07 28672 C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2003-09-05 19:16 184320 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2005-09-25 20:11 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-09-07 14:03 1077301 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 16:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-15 16:51 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
--a------ 2004-05-01 13:48 65536 C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 00:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Accessibility]
--a------ 2005-03-28 13:19 24576 C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
--a------ 2004-11-29 21:06 53248 C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2004-12-28 16:02 270336 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a------ 2005-04-05 16:25 73728 C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]
--a------ 2004-05-01 13:49 24576 C:\WINDOWS\system32\ZoomingHook.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 TabletServicePen;TabletServicePen;C:\WINDOWS\system32\Pen_Tablet.exe [2007-09-07 12:16]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 12:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 11:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 17:11]

*Newly Created Service* - PGFILTER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 02:16:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-19 2:17:34
ComboFix-quarantined-files.txt 2008-03-19 09:17:19
ComboFix2.txt 2008-03-16 19:45:23
.
2008-03-11 23:19:29 --- E O F ---



The missing .dll "missing module" doesn't pop up on startup anymore. And to think, I was about to reformat! Hmm... I really was -- I still feel like doing so. This prolongs my wanting to now.

Now I wonder if there are better free antivirus software that doesn't take up so much RAM as AVG?



Anyway, I humbly Thank You again Renato, you saved my PC! (For the time being)

:blink: :thumbsup:

Edited by br0ke, 19 March 2008 - 05:05 AM.


#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 20 March 2008 - 06:57 AM

Now I wonder if there are better free antivirus software that doesn't take up so much RAM as AVG?


You can find this information here:

http://www.av-comparatives.org/

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 br0ke

br0ke
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 March 2008 - 12:23 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 20, 2008 10:18:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 648510
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 62072
Number of viruses found: 1
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:33:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\User\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\User\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008032020080321\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fiqidpwg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hnibqthu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\khvvddjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pboquaxl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvsrsp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP123\A0015921.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP126\A0017261.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP127\A0017441.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP127\A0017462.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP127\A0017463.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP127\A0017464.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP127\A0017465.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP127\A0018296.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP128\A0018311.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP128\A0018312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP128\A0018313.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP128\A0018314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP128\A0018315.dll Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP133\change.log Object is locked skipped
C:\System Volume Information\_restore{9CD43D5B-365E-499F-81F9-D1838D59E545}\RP29\A0006202.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{745515C7-7E62-4A74-8E72-71D7191BF033}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_514.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks Again Renato! I'll check out that other link too.

I truly appreciate the help.

:thumbsup:

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 AM

Posted 22 March 2008 - 10:21 AM

Hi Br0ke :thumbsup:.

You don't appear to have a software firewall running

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and instal one of these excellent (and free) products:
  • Zone Alarm (At installing Zonealarm, please uncheck this option "Include a ZoneAlarm Spy Blocker...". The Toolbar is not recommended... You can read more about it here.)
  • Sygate
  • Kerio
It is important to note that you should only have one firewall installed at a time.

Next,

Go to start > Run and type combofix /u, it will uninstall ComboFix.

Your log is clean! Great job!

Please read this article to avoid new infections:

http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

This process will clean out your Temp files and your Temporary Internet Files. Please do eight steps:

Step 1: Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into

Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are

currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Step 3: Use an AntiVirus Software
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Step 4: Update your AntiVirus Software
It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Step 5: Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in it is default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Step 6: Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Step 7: Install an Anti Spyware software
It is very important to be safe. Look this list and choose one to install:

Virus, Spyware, and Malware Protection and Removal Resources

Step 8: Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum.

Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#11 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:23 AM

Posted 24 March 2008 - 02:37 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users