Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Of Trojan.win32.pakes.jmk & More


  • This topic is locked This topic is locked
2 replies to this topic

#1 onlyJust

onlyJust

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland
  • Local time:04:05 AM

Posted 05 July 2008 - 01:46 PM

In the past few days my ZoneAlarm has detected the following:

Trojan-Downloader.Win32.Banload.pux
Trojan.Win32.Pakes.jmm
Trojan.Win32.Pakes.jml
Trojan.Win32.Pakes.jmk
Trojan-Downloader.Win32.Banload.pwv
Downloader.Win32.FraudLoad.dc

...and they just seem to keep on coming!

Any help would be greatly appreaciated, as I'm pretty clueless.

This is the HijackThis report I have just run:

Deckard's System Scanner v20071014.68
Run by Pamhis' on 2008-07-05 19:24:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2008-07-05 18:25:06 UTC - RP26 - Deckard's System Scanner Restore Point
25: 2008-07-04 22:49:29 UTC - RP25 - Software Distribution Service 3.0
24: 2008-07-03 20:45:23 UTC - RP24 - System Checkpoint
23: 2008-07-02 18:55:52 UTC - RP23 - Software Distribution Service 3.0
22: 2008-07-02 15:50:29 UTC - RP22 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-30 00:08:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Pamhis'.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:27:01, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Pamhis'\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pamhis'.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5917 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SerTVOutCtlr (TOSHIBA Controls Driver -EPIOMngr) - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R1 TPwSav (Common Driver) - c:\windows\system32\drivers\tpwsav.sys <Not Verified; TOSHIBA; >
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>

S1 StickyMesger - c:\program files\toshiba\accessibility\stickymesger.sys (file missing)
S3 catchme - c:\docume~1\pamhis'\locals~1\temp\catchme.sys (file missing)
S3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
S3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
S3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth USB Miniport Driver(Windows2000,WindowsXP)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_FF001179&REV_10\4&111A1FD8&0&00E0
Manufacturer: Marvell
Name: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_FF001179&REV_10\4&111A1FD8&0&00E0
Service: yukonwxp


-- Scheduled Tasks -------------------------------------------------------------

2008-06-30 01:07:12 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2008-06-30 01:07:12 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job
2008-06-30 01:07:11 258 --a------ C:\WINDOWS\Tasks\Registration reminder 1.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 19:26:39 0 d-------- C:\Program Files\Trend Micro
2008-07-04 11:14:21 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\AdobeUM
2008-07-02 13:41:13 0 d-------- C:\WINDOWS\ERUNT
2008-07-02 11:57:03 0 dr-h----- C:\Documents and Settings\Pamhis'\Recent
2008-07-02 11:40:58 0 d-------- C:\Program Files\CCleaner
2008-07-02 10:49:36 0 d-------- C:\Program Files\WistaAntivirus
2008-07-01 18:50:52 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-01 17:34:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 17:16:42 144 --ahs---- C:\WINDOWS\system32\1547784834.dat
2008-07-01 17:16:36 39936 -r-hs---- C:\WINDOWS\system32\1025t.exe
2008-07-01 14:01:32 0 d-------- C:\Program Files\Google
2008-07-01 14:01:23 0 d-------- C:\Program Files\Picasa2
2008-06-30 19:43:12 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\vlc
2008-06-30 19:42:06 0 d-------- C:\Program Files\VLC
2008-06-30 16:56:24 0 d-------- C:\WINDOWS\Sun
2008-06-30 16:56:23 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Sun
2008-06-30 15:50:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-30 15:50:18 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Azureus
2008-06-30 15:49:26 0 d-------- C:\Program Files\Vuze
2008-06-30 14:45:33 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-30 14:34:11 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-30 14:34:00 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Mozilla
2008-06-30 14:13:32 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-30 13:50:08 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-30 13:49:03 0 d-------- C:\WINDOWS\SHELLNEW
2008-06-30 13:49:01 0 d-------- C:\Program Files\Microsoft.NET
2008-06-30 13:46:59 0 dr-h----- C:\MSOCache
2008-06-30 12:35:18 1962272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-30 12:30:21 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-30 12:30:16 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-30 12:30:08 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-06-30 12:29:53 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-06-30 12:22:57 0 d-------- C:\WINDOWS\Internet Logs
2008-06-30 12:16:35 0 d-------- C:\Program Files\Alwil Software
2008-06-30 12:10:21 0 d-------- C:\Installation Kit
2008-06-30 09:26:40 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Macromedia
2008-06-30 09:21:35 0 d---s---- C:\Documents and Settings\Pamhis'\UserData
2008-06-30 01:09:45 0 d-------- C:\Documents and Settings\Pamhis'\Nethood
2008-06-30 01:09:45 0 d-------- C:\Documents and Settings\Default User\Nethood
2008-06-30 01:09:34 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-06-30 01:09:34 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-06-30 01:09:34 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-06-30 01:09:34 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-06-30 01:09:34 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-06-30 01:09:34 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-06-30 01:09:30 0 d-------- C:\Program Files\InterVideo
2008-06-30 01:09:05 0 dr------- C:\Documents and Settings\Pamhis'\Favorites
2008-06-30 01:09:05 0 d-------- C:\Documents and Settings\Pamhis'\Desktop
2008-06-30 01:09:05 0 d---s---- C:\Documents and Settings\Pamhis'\Cookies
2008-06-30 01:09:05 0 dr-h----- C:\Documents and Settings\Pamhis'\Application Data
2008-06-30 01:09:05 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\toshiba
2008-06-30 01:09:05 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Symantec
2008-06-30 01:09:05 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Sonic
2008-06-30 01:09:05 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Identities
2008-06-30 01:09:05 0 d-------- C:\Documents and Settings\Pamhis'\Application Data\Adobe
2008-06-30 01:09:04 0 d-------- C:\Documents and Settings\Pamhis'\WINDOWS
2008-06-30 01:09:04 0 d--h----- C:\Documents and Settings\Pamhis'\Templates
2008-06-30 01:09:04 0 dr------- C:\Documents and Settings\Pamhis'\Start Menu
2008-06-30 01:09:04 0 dr-h----- C:\Documents and Settings\Pamhis'\SendTo
2008-06-30 01:09:04 0 d--h----- C:\Documents and Settings\Pamhis'\PrintHood
2008-06-30 01:09:04 2097152 --ah----- C:\Documents and Settings\Pamhis'\NTUSER.DAT
2008-06-30 01:09:04 0 dr------- C:\Documents and Settings\Pamhis'\My Documents
2008-06-30 01:09:04 0 d--h----- C:\Documents and Settings\Pamhis'\Local Settings
2008-06-30 01:08:13 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-06-30 01:07:08 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2008-06-30 01:07:08 0 d-------- C:\Documents and Settings\Default User\Application Data\toshiba
2008-06-30 01:07:08 0 d-------- C:\Documents and Settings\Default User\Application Data\Symantec
2008-06-30 01:07:08 0 d-------- C:\Documents and Settings\Default User\Application Data\Sonic
2008-06-30 01:07:08 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-06-30 01:07:08 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-06-30 13:49:23 0 d-------- C:\Program Files\Common Files
2008-06-30 08:37:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-30 08:37:04 0 d-------- C:\Program Files\Symantec
2008-06-30 01:38:29 0 d-------- C:\Program Files\Online Services
2008-06-30 01:09:30 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/11/2004 17:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/11/2004 16:59]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [24/03/2004 06:40]
"Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [05/04/2005 16:25]
"AGRSMMSG"="AGRSMMSG.exe" [22/12/2004 09:10 C:\WINDOWS\agrsmmsg.exe]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [10/05/2005 14:13]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [29/11/2004 21:06]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [30/04/2004 23:02]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [30/04/2004 23:02]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [25/02/2005 15:59]
"Zooming"="ZoomingHook.exe" [14/07/2004 16:07 C:\WINDOWS\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [30/03/2005 18:01 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TPSMain"="TPSMain.exe" [21/01/2005 08:53 C:\WINDOWS\system32\TPSMain.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [11/04/2005 10:12]
"NDSTray.exe"="NDSTray.exe" []
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [17/11/2004 10:56]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [14/01/2005 01:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 00:19]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02/04/2008 20:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [11/04/2005 11:26]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [26/02/2008 02:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]




-- End of Deckard's System Scanner: finished at 2008-07-05 19:28:31 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.73GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 502.42 MiB / 207.94 MiB
Pagefile Memory (total/avail): 1228.92 MiB / 814.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.3 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 15.69 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541040G9AT00 - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Security Suite Firewall v7.0.473.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.473.000 (Check Point, LTD.)
AV: avast! antivirus 4.8.1201 [VPS 080704-2] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Pamhis'\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-23CD86967A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Pamhis'
LOGONSERVER=\\YOUR-23CD86967A
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Pamhis'\LOCALS~1\Temp
TMP=C:\DOCUME~1\Pamhis'\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=YOUR-23CD86967A
USERNAME=Pamhis'
USERPROFILE=C:\Documents and Settings\Pamhis'
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Pamhis' (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Runtime 8.0 Libraries --> MsiExec.exe /I{EA4FA30B-7321-4428-90E9-28B088EC8DC9}
SD Secure Module --> MsiExec.exe /X{C45F4811-31D5-4786-801D-F79CD06EDD85}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SMSC IrCC V5.1.3600.5 SP2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}\setup.exe" -l0x9 UNINSTALL
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F47B2DF8-35EC-4B51-B5F2-0E03EF5F51DA} /l1033
TOSHIBA Accessibility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3A57482F-BEBC-47E4-ADA1-6302403C7E50} /l1033
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Hardware Setup --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Hotkey Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7900D3A6-A9E8-4954-ACCB-AB15867978BF} /l1033
TOSHIBA Manuals --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{188BA1CC-F3A1-49B0-A34D-8C861C64E1AE}\Setup.exe" -l0x9
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Supervisor Password --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
TOSHIBA Virtual Sound --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\setup.exe" /uninstall
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\Setup.exe" -l0x9
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe" -l0x9
TouchPad On/Off Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{80977342-27E8-4FF7-8B6A-D8D89461DA7F} /l1033
VideoLAN VLC media player 0.8.6h --> C:\Program Files\VLC\uninstall.exe
Vuze --> C:\Program Files\Vuze\uninstall.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type123 / Error
Event Submitted/Written: 07/01/2008 05:45:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type122 / Error
Event Submitted/Written: 07/01/2008 05:27:53 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type117 / Error
Event Submitted/Written: 06/30/2008 02:49:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application orange.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type91 / Warning
Event Submitted/Written: 06/30/2008 01:50:30 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type90 / Warning
Event Submitted/Written: 06/30/2008 01:50:30 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2158 / Error
Event Submitted/Written: 07/05/2008 06:36:37 PM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E1AA34FF-5ABE-4E5E-AD6D-EC47BF9AC28A}.
The backup browser is stopping.

Event Record #/Type2155 / Warning
Event Submitted/Written: 07/05/2008 06:33:12 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\PAWELEK on the network \Device\NetBT_Tcpip_{E1AA34FF-5ABE-4E5E-AD6D-EC47BF9AC28A}.
The data is the error code.

Event Record #/Type2148 / Error
Event Submitted/Written: 07/05/2008 06:15:04 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 00166F2E712F. The following error
occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2141 / Warning
Event Submitted/Written: 07/05/2008 02:21:37 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type2137 / Warning
Event Submitted/Written: 07/05/2008 11:28:18 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-05 19:28:31 ------------

BC AdBot (Login to Remove)

 


m

#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:05 PM

Posted 26 July 2008 - 11:30 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:05 PM

Posted 05 August 2008 - 05:55 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users