Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pprevx,scit.exe, Pop-ups.


  • This topic is locked This topic is locked
2 replies to this topic

#1 len1444

len1444

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 08 April 2008 - 01:30 PM

Having problems with sister's computer, things popping up, imitating system errors, etc.

dss.exe log (main.txt):
Deckard's System Scanner v20071014.68
Run by Lena on 2008-04-07 14:17:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]Total Physical Memory: 503 MiB (512 MiB recommended).[/color]


-- HijackThis (run as Lena.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-07 14:22:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Lena\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Lena.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: 209789 helper - {5C78E2DB-5AFC-4A3B-9B9F-6AF136562E6F} - C:\WINDOWS\system32\209789\209789.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Lena\LOCALS~1\Temp\20084714133_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\system32\dcggain.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Swupdtmr - Unknown owner - C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 6026 bytes

-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 14:19:06		 0 d-------- C:\Program Files\Trend Micro
2008-04-07 14:00:27	  4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-07 14:00:14		 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-07 13:59:39		 0 d-------- C:\WINDOWS\Internet Logs
2008-04-07 10:42:32		 0 d-------- C:\Documents and Settings\Lena\Application Data\Digital Album Organizer
2008-04-07 10:42:21	589824 --a------ C:\WINDOWS\system32\DVDRProX.dll <Not Verified; NuMedia Soft, Inc.; DVDRProX Module>
2008-04-07 10:42:19		 0 d-------- C:\Program Files\Fujifilm e-Systems
2008-04-07 10:11:00		 0 d-------- C:\Program Files\AntiSpywareShield
2008-04-06 23:40:16		64 --a------ C:\WINDOWS\system32\BurnData.bin
2008-04-06 21:31:31		 0 d-------- C:\WINDOWS\pss
2008-04-06 19:49:55		 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 19:49:54		 0 d-------- C:\Program Files\VirusHeat 4.3
2008-04-06 19:44:36		 0 d-------- C:\WINDOWS\system32\209789
2008-04-05 21:02:50		 0 d-------- C:\Documents and Settings\Lena\Application Data\Sonic
2008-04-05 08:12:36		 0 d-------- C:\Temp
2008-04-03 09:17:16		 0 d-------- C:\Program Files\MSXML 4.0
2008-04-02 15:05:00		 0 d-------- C:\WINDOWS\Sun
2008-04-02 15:05:00		 0 d-------- C:\Documents and Settings\Lena\Application Data\Sun
2008-04-02 13:32:08		 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-02 01:54:46		 0 d-------- C:\Documents and Settings\Lena\Application Data\Google
2008-04-02 00:44:26		 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-02 00:39:40		 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-01 13:30:06		 0 d---s---- C:\Documents and Settings\Lena\UserData
2008-04-01 00:28:27	  1158 --a------ C:\WINDOWS\mozver.dat
2008-04-01 00:20:04		 0 d-------- C:\Documents and Settings\Lena\Application Data\Mozilla
2008-04-01 00:17:44		 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-01 00:13:00		 0 d-------- C:\Documents and Settings\Lena\Application Data\InterVideo
2008-04-01 00:10:36		 0 d-------- C:\Documents and Settings\Lena\Application Data\Intuit
2008-04-01 00:10:36		 0 d-------- C:\Documents and Settings\Lena\Application Data\InterTrust
2008-04-01 00:10:36		 0 d-------- C:\Documents and Settings\Lena\Application Data\Identities
2008-04-01 00:10:36		 0 d-------- C:\Documents and Settings\Lena\Application Data\AOL
2008-04-01 00:10:36		 0 d-------- C:\Documents and Settings\Lena\Application Data\Adobe
2008-04-01 00:10:35		 0 d-------- C:\Documents and Settings\Lena\WINDOWS
2008-04-01 00:10:35		 0 d--h----- C:\Documents and Settings\Lena\Templates
2008-04-01 00:10:35		 0 dr------- C:\Documents and Settings\Lena\Start Menu
2008-04-01 00:10:35		 0 dr-h----- C:\Documents and Settings\Lena\SendTo
2008-04-01 00:10:35		 0 dr-h----- C:\Documents and Settings\Lena\Recent
2008-04-01 00:10:35		 0 d--h----- C:\Documents and Settings\Lena\PrintHood
2008-04-01 00:10:35   1310720 --ah----- C:\Documents and Settings\Lena\NTUSER.DAT
2008-04-01 00:10:35		 0 d--h----- C:\Documents and Settings\Lena\NetHood
2008-04-01 00:10:35		 0 dr------- C:\Documents and Settings\Lena\My Documents
2008-04-01 00:10:35		 0 d--h----- C:\Documents and Settings\Lena\Local Settings
2008-04-01 00:10:35		 0 dr------- C:\Documents and Settings\Lena\Favorites
2008-04-01 00:10:35		 0 d-------- C:\Documents and Settings\Lena\Desktop
2008-04-01 00:10:35		 0 d---s---- C:\Documents and Settings\Lena\Cookies
2008-04-01 00:10:35		 0 dr-h----- C:\Documents and Settings\Lena\Application Data
2008-04-01 00:10:35		 0 d-------- C:\Documents and Settings\Lena\Application Data\You've Got Pictures Screensaver
2008-04-01 00:10:35		 0 d-------- C:\Documents and Settings\Lena\Application Data\toshiba
2008-04-01 00:10:35		 0 d-------- C:\Documents and Settings\Lena\Application Data\Macromedia
2008-04-01 00:10:19	262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\Application Data\You've Got Pictures Screensaver
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\Application Data\toshiba
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\Application Data\Intuit
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\Application Data\InterTrust
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\Application Data\AOL
2008-04-01 00:10:11		 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
2008-04-01 00:05:30		 0 d-------- C:\WINDOWS\system32\dla
2008-04-01 00:05:12	192512 --a------ C:\WINDOWS\system32\AdavVideoDec.dll <Not Verified; Arcsoft; Arcsoft AdavVideoDec>
2008-04-01 00:05:12	126976 --a------ C:\WINDOWS\system32\AdavAudioDec.dll <Not Verified; Arcsoft (HZ); MPEG Audio Codec Core>
2008-04-01 00:02:20	212480 --a------ C:\WINDOWS\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2008-04-01 00:02:16	147456 --a------ C:\WINDOWS\system32\PhotoBase Screen Saver.scr <Not Verified; ArcSoft Inc.; PhotoBase v4.0>
2008-04-01 00:02:14		 0 d-------- C:\Program Files\ArcSoft
2008-04-01 00:01:51	 15890 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.10>
2008-04-01 00:01:48	249856 --a------ C:\WINDOWS\system32\ControlWZCS.exe <Not Verified;; EnableWZC Application>
2008-04-01 00:01:48	 36864 --a------ C:\WINDOWS\system32\ControlACS.exe <Not Verified;; ControlACS>
2008-04-01 00:01:48	385024 --a------ C:\WINDOWS\system32\athcfg11.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library>
2008-04-01 00:01:47	 36864 --a------ C:\WINDOWS\system32\DelRunOnceReg.exe <Not Verified; ASKEY COMPUTER CORP.; DelRunOnceReg>
2008-04-01 00:01:47	 41029 --a------ C:\WINDOWS\system32\athgina.dll <Not Verified; Atheros; Athgina Dynamic Link Library>
2008-04-01 00:01:47	118784 --a------ C:\WINDOWS\system32\AegisI5.exe <Not Verified;; AegisInstall Application>
2008-04-01 00:01:47	843776 --a------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2008-04-01 00:01:47	 45056 --a------ C:\WINDOWS\system32\acs.exe
2008-04-01 00:00:12	 40960 --a------ C:\WINDOWS\system32\RmWLAN.exe <Not Verified; ASKEY COMPUTER CORP.; RmWLAN>
2008-04-01 00:00:12	278528 --a------ C:\WINDOWS\system32\PlugPlayPCIDevice.exe <Not Verified;; PlugPlayPCIDevice Application>
2008-04-01 00:00:12	172032 --a------ C:\WINDOWS\system32\MFCFirstRemove.exe <Not Verified;; MFCFirstRemove Application>
2008-04-01 00:00:12	 36864 --a------ C:\WINDOWS\system32\InstallInf.exe <Not Verified; ASKEY COMPUTER CORP.; InstallInf>
2008-04-01 00:00:12	 40960 --a------ C:\WINDOWS\system32\CloseACU.exe <Not Verified; ASKEY COMPUTER CORP.; CloseACU>
2008-04-01 00:00:12		 0 d-------- C:\Program Files\Atheros


-- Find3M Report ---------------------------------------------------------------

2008-04-07 14:11:26		93 --a------ C:\Documents and Settings\Lena\Application Data\.googlewebacchosts
2008-04-07 13:24:10		 0 d-------- C:\Program Files\Google
2008-04-07 10:42:19		 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-06 23:40:16		 0 d-------- C:\Program Files\Napster
2008-04-03 20:27:20		 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 10:06:29	 13312 --a-s---- C:\WINDOWS\system32\dcggain.dll
2008-04-01 00:05:29		 0 d-------- C:\Program Files\Sonic
2008-04-01 00:01:31		 0 d-------- C:\Program Files\InterVideo


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C78E2DB-5AFC-4A3B-9B9F-6AF136562E6F}]
04/06/2008 07:46 PM	13824	--a------	C:\WINDOWS\system32\209789\209789.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
			C:\Program Files\NetProject\sbmdl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}"= C:\Program Files\NetProject\wamdl.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"Cleanup"="C:\DOCUME~1\Lena\LOCALS~1\Temp\20084714133_mcappins.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/2008 12:39 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 10:24:38 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9c87cb31-93d0-4f3e-a360-4a91ff77aeb7}"= C:\WINDOWS\system32\dcggain.dll [04/03/2008 10:06 AM 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [04/26/2005 03:26 PM 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpywareShield]
C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Accessibility]
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusHeat 4.3]
"C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]
ZoomingHook.exe




-- End of Deckard's System Scanner: finished at 2008-04-07 14:22:39 ------------

HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:14:51 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Lena\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: 209789 helper - {5C78E2DB-5AFC-4A3B-9B9F-6AF136562E6F} - C:\WINDOWS\system32\209789\209789.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Lena\LOCALS~1\Temp\2008471414_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Lena\LOCALS~1\Temp\20084714133_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\system32\dcggain.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4728 bytes

Thanks, Len

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:39 AM

Posted 08 April 2008 - 11:05 PM

Hello len1444,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum.
    Do NOT put any of the logs in quotes or code boxes as that make it hard to read.

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe



*******************************************
Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: 209789 helper - {5C78E2DB-5AFC-4A3B-9B9F-6AF136562E6F} - C:\WINDOWS\system32\209789\209789.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - C:\WINDOWS\system32\dcggain.dll



*******************************************
Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\NetProject\scit.exe
    C:\Program Files\NetProject\sbmntr.exe
    C:\WINDOWS\system32\dcggain.dll


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post Report.txt from SDFix, a new Hijackthis log, OTMoveIt2 log, and tell me how your computer is running.

Do NOT put any of the logs in quotes or code boxes as that make it hard to read.

Edited by SifuMike, 08 April 2008 - 11:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:39 AM

Posted 18 April 2008 - 01:18 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users