Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Sheriff And Others


  • Please log in to reply
5 replies to this topic

#1 krosati

krosati

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 14 May 2006 - 12:47 AM

I was infected today by this crap and thought I could get rid of it myself, however, I seem to have other issues as well.
I perused the past posts to gather intel and I was actually able to remove some of the problems.
I couldn't get online so I had to use MSCONFIG to disable all of the startup items to speed up my PC in order to get online. I have turned normal start back on before running any repair type programs so I catch everything.
I have already dowloaded AD-AWARE and ran it (I always use AD-AWARE periodically so I know the infection was from today) I also picked up SMITFRAUDFIX and Spybot S&D.
I am still plagued by random pop ups even if I don't have IE opened.
I tried to download HJthis from here and from Merijn's site. McAfee keeps telling me it is infected and after scanning the entire PC, I get this file: W32/generic.worm!p2p.
So I cannot get a log to post.
I am running XP and have been updating almost every time I log on (way to many patches I guess)
What do I need and where do I go from here?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 14 May 2006 - 06:52 AM

Have you tried the self-help tutorial How to remove Spyware Sheriff and Antispylab?.

Here are two alternate links for downloading Hijackthis:
thespykiller.co
ralphcaddell.com
These are self-extracting versions which will automatically install HJT in the proper location.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 krosati

krosati
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 16 May 2006 - 09:34 PM

Yes, I followed the help guide and did get rid of Spysheriff. Hoewever, I still have some pop ups and when I boot up the computer, I am getting a "form" about 2 inches wide and 5 inches high. But the "form" is blank and has no writting of any kind. It also has no close button. It does close on it's own after a few seconds so I'm not sure if it is any threat or not.
The Pop up sites usually go to the following addresses
Heavy.com, Partypoker.com, True.com, and Ad.first.com. They always come in three.
I also tried to download HJThis from your links provided. It loaded it as intended, but Mcafee deletes it because it says it is infected with this W32/generic.worm!p2p.
I'm still at a loss. Thanks for your help.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 17 May 2006 - 04:32 AM

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Download and scan with Ewido Anti-Malware v3.5
Ewido Install and Scan Instructions

Download and scan with Sysclean Package.
1. Create a new folder on drive "C:\" ("C:\New Folder") and rename it Sysclean.
2. Place the sysclean.com inside that folder.
3. Then download the latest Virus Pattern Files (lptXXX.zip).
4. Extract the lptXXX.zip pattern file into the same folder you created for sysclean.com.
5. Close all open applications and DISABLE your current anti-virus software. Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them first.
6. Open the Sysclean folder and double-click on sysclean.com to run.
7. It will take some time to complete. Be patient and let it clean whatever it finds.
8. Exit when done and re-enable your anti-virus program.

Perform this online Virus scan:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall Scan

When done, download Hijackthis again and see let me know what happens.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 krosati

krosati
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 May 2006 - 11:26 PM

ATF ran
Ewido ran. Here are the results from 1 accidental scan and 2 full scans
Scan 1
_______
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:20:57 PM, 5/17/2006
+ Report-Checksum: 92F94013

+ Scan result:

[1468] C:\WINDOWS\system32\lkzfg.dll -> Proxy.Agent.df : Error during cleaning
[1932] C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
[1940] C:\WINDOWS\sys11-1262639300.exe -> Adware.Enbrow : Cleaned with backup
[408] C:\defender19a.exe -> Hijacker.VB.nh : Cleaned with backup
[1304] C:\WINDOWS\system32\CURITY~1\netdde.exe -> Downloader.PurityScan.cl : Cleaned with backup


::Report End

Scan 2
______
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:45:49 PM, 5/17/2006
+ Report-Checksum: F81E0B17

+ Scan result:

[1468] C:\WINDOWS\system32\lkzfg.dll -> Proxy.Agent.df : Error during cleaning
C:\Documents and Settings\Rosati\Cookies\rosati@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Rosati\Cookies\rosati@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Rosati\Local Settings\Temporary Internet Files\Content.IE5\7MOJYV28\runfile[1].exe -> Hijacker.Small.cc : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll -> Trojan.Sinowal.m : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll -> Trojan.Sinowal.m : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll -> Trojan.Sinowal.m : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Error during cleaning
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\file1.exe -> Dropper.Agent.apb : Cleaned with backup
C:\WINDOWS\OEM.exe -> Proxy.Agent.jw : Cleaned with backup
C:\WINDOWS\system32\cfjknija.exe -> Proxy.Wopla.r : Cleaned with backup
C:\WINDOWS\system32\dlnibfel.exe -> Proxy.Wopla.r : Cleaned with backup
C:\WINDOWS\system32\ke7dnl.sys -> Downloader.Hanlo.r : Cleaned with backup
C:\WINDOWS\system32\kernels8.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\lkzfg.dll -> Proxy.Agent.df : Error during cleaning
C:\WINDOWS\system32\maxd641.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\rseymhu.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINDOWS\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup


::Report End

I recieved this message at the end of scan 2:
Warning
The file "C:\Program Files\misc001\webhc1.exe/whAgent.exe" cannot be removed because it is imbedded in the archive"C:\Program Files\Common Files\misc001\webhc.exe" Duo you want to remove the whole archive? Yes No

I clicked no for now and scanned again (scan 3)
_____
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:37:42 PM, 5/17/2006
+ Report-Checksum: CBB2AA30

+ Scan result:

[1468] C:\WINDOWS\system32\lkzfg.dll -> Proxy.Agent.df : Error during cleaning
C:\Documents and Settings\Rosati\Cookies\rosati@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Error during cleaning
C:\WINDOWS\system32\lkzfg.dll -> Proxy.Agent.df : Error during cleaning


::Report End

I recieved the same warning message again

I moved onto the Sysclean Package


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-05-17, 19:40:15, Auto-clean mode specified.
2006-05-17, 19:40:15, Running scanner "C:\Sysclean\TSC.BIN"...
2006-05-17, 19:40:40, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2006-05-17, 19:40:40, TSC Log:

2006-05-17, 19:41:22, An error occurred while scanning file "C:\Documents and Settings\All Users\Documents\Settings\20242402.dll": Access is denied.
2006-05-17, 19:41:22, An error occurred while scanning file "C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\Rosati\NTUSER.DAT": Access is denied.
2006-05-17, 19:41:29, An error occurred while scanning file "C:\Documents and Settings\Rosati\ntuser.dat.LOG": Access is denied.
2006-05-17, 19:41:37, An error occurred while scanning file "C:\Documents and Settings\Rosati\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-05-17, 19:41:37, An error occurred while scanning file "C:\Documents and Settings\Rosati\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-05-17, 19:41:38, An error occurred while scanning file "C:\Documents and Settings\Rosati\Local Settings\Temp\~DFE157.tmp": Access is denied.
2006-05-17, 19:41:53, An error was detected on "C:\Documents and Settings\Rosati\My Documents\??stem32\*.*": The filename, directory name, or volume label syntax is incorrect.
2006-05-17, 19:47:52, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\APNTEX.EXE-2C02AAE6.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CSC.EXE-1113BFA6.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CVTRES.EXE-13DEB540.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\DLXTCNHQ.EXE-141BBE2B.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\IVPSVMGR.EXE-20A69266.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\MCAGENT.EXE-03DA6B71.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\MCMNHDLR.EXE-1D1F2FA0.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\MCREGWIZ.EXE-20498823.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\MCSHIELD.EXE-15F93AD5.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\MGHTML.EXE-31D79FA5.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\SECURITYSUITE.EXE-278F473B.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-2463FFE4.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-047A9559.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-175206AB.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2006-05-17, 19:50:39, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2006-05-17, 19:51:10, An error occurred while scanning file "C:\WINDOWS\SoftwareDistribution\EventCache\{D191C1B3-0430-4B12-9199-BF83D9283C8B}.bin": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2006-05-17, 19:52:22, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2006-05-17, 19:52:48, An error was detected on "C:\WINDOWS\system32\??curity\*.*": The filename, directory name, or volume label syntax is incorrect.
2006-05-17, 19:53:40, Running scanner "C:\Sysclean\VSCANTM.BIN"...
2006-05-17, 20:09:54, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 5/17/2006 19:53:43
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 431 (116367 Patterns) (2006/05/16) (343100)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

C:\WINDOWS\pf78.exe [TROJ_Generic]
39891 files have been read.
39891 files have been checked.
30426 files have been scanned.
61272 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/17/2006 20:09:54
---------*---------*---------*---------*---------*---------*---------*---------*
2006-05-17, 20:09:55, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 5/17/2006 19:53:43
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 431 (116367 Patterns) (2006/05/16) (343100)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

Success Clean [ TROJ_Generic]( 1) from C:\WINDOWS\pf78.exe
39891 files have been read.
39891 files have been checked.
30426 files have been scanned.
61272 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/17/2006 20:09:54 16 minutes 9 seconds (968.59 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-05-17, 20:09:55, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 5/17/2006 19:53:43
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 431 (116367 Patterns) (2006/05/16) (343100)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

39891 files have been read.
39891 files have been checked.
30426 files have been scanned.
61272 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/17/2006 20:09:54 16 minutes 9 seconds (968.59 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-05-17, 20:09:55, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.

I tried the housecall scan but could not connect. This is the error message I recieved:
HouseCall Message
Trend Active Update did not update successfully. It may result from busy server or bad network traffic.
Error code: 28
Error String: Active Update was unable to connect to the network. Please check wether the network connection is functional and then try again.
Do you want to retry? Retry Cancel

Repeated attempt to retry resulted in the same error message over an over.

I finally was able to download HJT. Here id the log file:
Logfile of HijackThis v1.99.1
Scan saved at 8:50:43 PM, on 5/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ltmoh\Ltmoh.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Rosati\My Documents\??stem32\?serinit.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {73613587-F546-D793-4ED2-F2CAEF53E09C} - C:\WINDOWS\system32\rseymhu.dll (file missing)
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [SysTray] c:\Program Files\paytime.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys11-1262639300] C:\WINDOWS\sys11-1262639300.exe
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eprc] "C:\WINDOWS\system32\CURITY~1\netdde.exe" -vt yazr
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [miiu] C:\Program Files\Common Files\miiu\miium.exe
O4 - HKCU\..\Run: [Gprx] C:\Documents and Settings\Rosati\My Documents\??stem32\?serinit.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/1/sux.cab
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O21 - SSODL: RMfnldOuK - {B4BDA73D-1E17-0D97-219F-AA0AA3F4D670} - C:\WINDOWS\system32\lkzfg.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Again, thanks for the help.

#6 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:08:58 AM

Posted 18 May 2006 - 07:20 AM

You are definitely still infected.

For help with removing your infection I would like to refer you to the HiJack This (HJT) forum here at BleepingComputer.com:

First: Read the Preparation Guide found HERE. It is very important that you follow ALL of the instructions found within. (There are many important steps in this guide that may clean your computer.)

Second: Post your system information along with a brief description of the problems you are having, and your HJT log in the HJT forum found HERE.

NOTE: Please, after you post your HJT log DO NOT make another post in the HJT forum until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post there will be 1 reply. The team member glancing over the replies might think someone is already helping you out and will not respond. So, just make your post and let it sit there until a team member responds. The volunteers who work that forum are very busy, so please be patient and wait. It can sometimes take a few days for a response. If after 5 days you still have gotten no response, then post a link to your HJT log HERE.

Third: If, after finishing your work with the folks at the HJT forum you have issues with Windows related to the removal of the infection, then come to the other forums and let us help you get your computer back to normal.

You are in good hands! Good luck!
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users