Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Burst Returns!


  • This topic is locked This topic is locked
12 replies to this topic

#1 jwrocker

jwrocker

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 02 November 2006 - 10:57 PM

Hi!!
I am in NEED of your HELP!!!!! PLEASE!!!!
I am just totally sick of this thing!

I have managed to get the Virus Burst virus again.
I used your advice from another blog to remove it the first time and then it came back when I downloaded TrueCodec 5.0.
I Have repeated the same steps as before and Nothing!'
This time it is a little different also. Like it has a Yellow & Blue icon now???? And it says "Critical System Error's" rather then "Critical System Error".
I have run Ad-Aware, Spybot, and Xoftspy.

I am also unable to Remove TrueCodec 5.0 from my system. It keeps telling me that I have to restart my computer first and I know after the 3rd time that is BOGUS!!!

Here is my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:40:17 PM, on 11/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TrueCodec\isamonitor.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\455f15e.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TrueCodec\isamini.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {083461A7-7F19-F0B7-F335-07DC26CA60EB} - C:\WINDOWS\system32\lxysvph.dll
O2 - BHO: (no name) - {0FBCA604-42FD-D607-7AF1-00F9A76E52B6} - C:\WINDOWS\system32\xvpxojj.dll
O2 - BHO: (no name) - {1D8339D5-2416-9648-7AE6-085C0E6CC31B} - C:\WINDOWS\system32\mesxgqf.dll
O2 - BHO: (no name) - {33C484AF-AA76-C9B2-0B6A-080DB2A0E813} - C:\WINDOWS\system32\nmzunn.dll
O2 - BHO: (no name) - {36C57497-6A07-ABBC-74C4-04607FF7CB02} - C:\WINDOWS\system32\hlgbexc.dll
O2 - BHO: (no name) - {3904B5E4-0774-796F-6C3C-0B6AF1EFA049} - C:\WINDOWS\system32\lrkucwb.dll
O2 - BHO: (no name) - {39681D2F-FAA2-BF2A-75CF-00AAC425EBF1} - C:\WINDOWS\system32\pdseqkh.dll
O2 - BHO: (no name) - {4B0D9780-CCD6-BD62-8D52-025BE65D2EED} - C:\WINDOWS\system32\rkfyvql.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {629651BA-C2AD-E2EB-293C-0507F26C50E2} - C:\WINDOWS\system32\hfcpdhm.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\TrueCodec\isaddon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - C:\Program Files\TrueCodec\iesplugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [455f15e.exe] C:\WINDOWS\system32\455f15e.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ojloxxk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ojloxxk.dll,dfxhrpe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [zrngrtd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zrngrtd.dll,tkjyswc
O4 - HKLM\..\Run: [htvkatb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\htvkatb.dll,yeatkf
O4 - HKLM\..\Run: [tprlsvc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tprlsvc.dll,azpkff
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [qushiwd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qushiwd.dll,peyhtab
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [muxiddn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muxiddn.dll,wicansf
O4 - HKLM\..\Run: [mgvxvfe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\mgvxvfe.dll,oeczgoc
O4 - HKLM\..\Run: [eogaebl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\eogaebl.dll,bfted
O4 - HKLM\..\Run: [luiuqrd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\luiuqrd.dll,sotjbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [455f15e.exe] C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\455f15e.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: clamoring - {0d9eb558-0666-479e-868a-21b1d1a53bd1} - C:\WINDOWS\system32\veklo.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe


Please help ME!!!!

Edited by jwrocker, 02 November 2006 - 11:01 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:06 PM

Posted 03 November 2006 - 11:16 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1, and press Enter.
A text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

#3 jwrocker

jwrocker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 04 November 2006 - 11:05 PM

OK!
Here it is!!!

SmitFraudFix v2.119

Scan done at 23:01:53.79, Sat 11/04/2006
Run from C:\Documents and Settings\Benjamin Larochelle\My Documents\Programs\UNZIP\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS

C:\WINDOWS\.protected FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\veklo.dll FOUND !

C:\Documents and Settings\Benjamin Larochelle


C:\Documents and Settings\Benjamin Larochelle\Application Data


Start Menu

C:\DOCUME~1\BENJAM~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

C:\DOCUME~1\BENJAM~1\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\iCodecPack\ FOUND !
C:\Program Files\TrueCodec\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0d9eb558-0666-479e-868a-21b1d1a53bd1}"="clamoring"

[HKEY_CLASSES_ROOT\CLSID\{0d9eb558-0666-479e-868a-21b1d1a53bd1}\InProcServer32]
@="C:\WINDOWS\system32\veklo.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0d9eb558-0666-479e-868a-21b1d1a53bd1}\InProcServer32]
@="C:\WINDOWS\system32\veklo.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:06 PM

Posted 05 November 2006 - 08:33 AM

Let's continue...

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

#5 jwrocker

jwrocker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 06 November 2006 - 12:43 AM

Ok!

Report from the Clean:

SmitFraudFix v2.119

Scan done at 0:28:19.37, Mon 11/06/2006
Run from C:\Documents and Settings\Benjamin Larochelle\My Documents\Programs\UNZIP\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0d9eb558-0666-479e-868a-21b1d1a53bd1}"="clamoring"

[HKEY_CLASSES_ROOT\CLSID\{0d9eb558-0666-479e-868a-21b1d1a53bd1}\InProcServer32]
@="C:\WINDOWS\system32\veklo.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0d9eb558-0666-479e-868a-21b1d1a53bd1}\InProcServer32]
@="C:\WINDOWS\system32\veklo.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\veklo.dll -> Hoax.Win32.Renos.gen.g
C:\WINDOWS\system32\veklo.dll -> Deleted


Deleting infected files

C:\WINDOWS\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted
C:\Program Files\iCodecPack\ Deleted
C:\Program Files\TrueCodec\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

And here's the new Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:03 AM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\455f15e.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Benjamin Larochelle\My Documents\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {083461A7-7F19-F0B7-F335-07DC26CA60EB} - C:\WINDOWS\system32\lxysvph.dll
O2 - BHO: (no name) - {0FBCA604-42FD-D607-7AF1-00F9A76E52B6} - C:\WINDOWS\system32\xvpxojj.dll
O2 - BHO: (no name) - {1D8339D5-2416-9648-7AE6-085C0E6CC31B} - C:\WINDOWS\system32\mesxgqf.dll
O2 - BHO: (no name) - {33C484AF-AA76-C9B2-0B6A-080DB2A0E813} - C:\WINDOWS\system32\nmzunn.dll
O2 - BHO: (no name) - {36C57497-6A07-ABBC-74C4-04607FF7CB02} - C:\WINDOWS\system32\hlgbexc.dll
O2 - BHO: (no name) - {3904B5E4-0774-796F-6C3C-0B6AF1EFA049} - C:\WINDOWS\system32\lrkucwb.dll
O2 - BHO: (no name) - {39681D2F-FAA2-BF2A-75CF-00AAC425EBF1} - C:\WINDOWS\system32\pdseqkh.dll
O2 - BHO: (no name) - {4B0D9780-CCD6-BD62-8D52-025BE65D2EED} - C:\WINDOWS\system32\rkfyvql.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {629651BA-C2AD-E2EB-293C-0507F26C50E2} - C:\WINDOWS\system32\hfcpdhm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [455f15e.exe] C:\WINDOWS\system32\455f15e.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ojloxxk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ojloxxk.dll,dfxhrpe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [zrngrtd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zrngrtd.dll,tkjyswc
O4 - HKLM\..\Run: [htvkatb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\htvkatb.dll,yeatkf
O4 - HKLM\..\Run: [tprlsvc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tprlsvc.dll,azpkff
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [qushiwd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qushiwd.dll,peyhtab
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [muxiddn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muxiddn.dll,wicansf
O4 - HKLM\..\Run: [mgvxvfe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\mgvxvfe.dll,oeczgoc
O4 - HKLM\..\Run: [eogaebl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\eogaebl.dll,bfted
O4 - HKLM\..\Run: [luiuqrd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\luiuqrd.dll,sotjbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [455f15e.exe] C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\455f15e.exe
O4 - Startup: .protected
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Looks Much Better Already!!!!

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:06 PM

Posted 06 November 2006 - 04:42 AM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {083461A7-7F19-F0B7-F335-07DC26CA60EB} - C:\WINDOWS\system32\lxysvph.dll
O2 - BHO: (no name) - {0FBCA604-42FD-D607-7AF1-00F9A76E52B6} - C:\WINDOWS\system32\xvpxojj.dll
O2 - BHO: (no name) - {1D8339D5-2416-9648-7AE6-085C0E6CC31B} - C:\WINDOWS\system32\mesxgqf.dll
O2 - BHO: (no name) - {33C484AF-AA76-C9B2-0B6A-080DB2A0E813} - C:\WINDOWS\system32\nmzunn.dll
O2 - BHO: (no name) - {36C57497-6A07-ABBC-74C4-04607FF7CB02} - C:\WINDOWS\system32\hlgbexc.dll
O2 - BHO: (no name) - {3904B5E4-0774-796F-6C3C-0B6AF1EFA049} - C:\WINDOWS\system32\lrkucwb.dll
O2 - BHO: (no name) - {39681D2F-FAA2-BF2A-75CF-00AAC425EBF1} - C:\WINDOWS\system32\pdseqkh.dll
O2 - BHO: (no name) - {4B0D9780-CCD6-BD62-8D52-025BE65D2EED} - C:\WINDOWS\system32\rkfyvql.dll
O2 - BHO: (no name) - {629651BA-C2AD-E2EB-293C-0507F26C50E2} - C:\WINDOWS\system32\hfcpdhm.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [455f15e.exe] C:\WINDOWS\system32\455f15e.exe
O4 - HKLM\..\Run: [ojloxxk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ojloxxk.dll,dfxhrpe
O4 - HKLM\..\Run: [zrngrtd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zrngrtd.dll,tkjyswc
O4 - HKLM\..\Run: [htvkatb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\htvkatb.dll,yeatkf
O4 - HKLM\..\Run: [tprlsvc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tprlsvc.dll,azpkff
O4 - HKLM\..\Run: [qushiwd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\qushiwd.dll,peyhtab
O4 - HKLM\..\Run: [muxiddn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muxiddn.dll,wicansf
O4 - HKLM\..\Run: [mgvxvfe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\mgvxvfe.dll,oeczgoc
O4 - HKLM\..\Run: [eogaebl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\eogaebl.dll,bfted
O4 - HKLM\..\Run: [luiuqrd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\luiuqrd.dll,sotjbt
O4 - HKCU\..\Run: [455f15e.exe] C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\455f15e.exe
O4 - Startup: .protected


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\lxysvph.dll
C:\WINDOWS\system32\xvpxojj.dll
C:\WINDOWS\system32\mesxgqf.dll
C:\WINDOWS\system32\nmzunn.dll
C:\WINDOWS\system32\hlgbexc.dll
C:\WINDOWS\system32\lrkucwb.dll
C:\WINDOWS\system32\pdseqkh.dll
C:\WINDOWS\system32\rkfyvql.dll
C:\WINDOWS\system32\hfcpdhm.dll
C:\WINDOWS\system32\455f15e.exe
C:\WINDOWS\system32\ojloxxk.dll
C:\WINDOWS\system32\zrngrtd.dll
C:\WINDOWS\system32\htvkatb.dll
C:\WINDOWS\system32\tprlsvc.dll
C:\WINDOWS\system32\qushiwd.dll
C:\WINDOWS\system32\muxiddn.dll
C:\WINDOWS\system32\mgvxvfe.dll
C:\WINDOWS\system32\eogaebl.dll
C:\WINDOWS\system32\luiuqrd.dll
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\455f15e.exe
C:\Documents and Settings\Benjamin Larochelle\Start Menu\Programs\Startup\.protected


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#7 jwrocker

jwrocker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 06 November 2006 - 10:11 PM

Ok Here is the Combofix:

Benjamin Larochelle - 06-11-06 22:02:27.65 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Benjamin Larochelle\My Documents\Programs"

((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))


2006-11-04 23:01 5,010 --a------ C:\WINDOWS\system32\tmp.reg


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-06 22:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-02 21:15 -------- d-------- C:\Program Files\XoftSpy
2006-11-02 21:14 -------- d-------- C:\Program Files\Enigma Software Group
2006-11-01 18:19 -------- d-------- C:\Program Files\Apoint2K
2006-11-01 17:54 -------- d-------- C:\Program Files\Roguescanfix
2006-11-01 02:08 -------- d-------- C:\Program Files\iTunes
2006-11-01 02:07 -------- d-------- C:\Program Files\Internet Explorer
2006-11-01 02:06 -------- d-------- C:\Program Files\Google
2006-10-29 21:43 -------- d-------- C:\Documents and Settings\Benjamin Larochelle\Application Data\Image Zone Express
2006-10-16 23:26 -------- d-------- C:\Documents and Settings\Benjamin Larochelle\Application Data\InterVideo
2006-10-12 23:47 -------- d---s---- C:\Documents and Settings\Benjamin Larochelle\Application Data\Microsoft
2006-10-12 23:27 -------- d-------- C:\Program Files\iPod
2006-10-12 23:26 -------- d-------- C:\Program Files\QuickTime
2006-10-12 23:24 -------- d-------- C:\Program Files\Apple Software Update
2006-10-12 02:09 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-04 17:03 -------- d-------- C:\Documents and Settings\Benjamin Larochelle\Application Data\HP
2006-10-03 15:24 -------- d-------- C:\Program Files\HP
2006-10-03 15:24 -------- d-------- C:\Program Files\Common Files\HP
2006-10-03 15:24 -------- d-------- C:\Program Files\Common Files
2006-10-03 15:20 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-03 15:18 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-09-30 23:03 -------- d-------- C:\Program Files\TOSHIBA
2006-09-28 16:00 -------- d-------- C:\Program Files\Seekmo Programs
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TCtryIOHook"="TCtrlIOHook.exe"
"TFncKy"="TFncKy.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"NDSTray.exe"="NDSTray.exe"
"HWSetup"="C:\\Program Files\\TOSHIBA\\TOSHIBA Applet\\HWSetup.exe hwSetUP"
"SVPWUTIL"="C:\\Program Files\\Toshiba\\Windows Utilities\\SVPWUTIL.exe SVPwUTIL"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe"
"TPSMain"="TPSMain.exe"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"Notebook Maximizer"="C:\\Program Files\\Notebook Maximizer\\maximizer_startup.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 06-11-06 22:03:01.07
C:\ComboFix.txt ... 06-11-06 22:03


And Here is the new Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:18 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Benjamin Larochelle\My Documents\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe



I thought you should know that Killbox did Not prompt me for any Renaming Operations.
Also that Hijackthis would not let me delete: O4 - Startup: .protected
Is this OK??

-ben

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:06 PM

Posted 07 November 2006 - 11:48 AM

Hey there,

Thanks for letting me know about Killbox, the fact you didn't recieve the error is a good sign.
Although you weren't able to fix the entry it would appear that after a reboot the file has now been disabled.
The file was deleted when we ran Killbox also.

Please now find and delete this folder:
C:\Program Files\Seekmo Programs

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Also let me know how the PC is running.
David

#9 jwrocker

jwrocker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 08 November 2006 - 12:40 AM

When I clicked "Accept" nothing happened.
Perhaps I should have told you that I am running Mozilla FireFox.
Does this matter??

-ben

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:06 PM

Posted 08 November 2006 - 01:03 PM

Ahh, try this on internet explorer. Let me know how it goes.

#11 jwrocker

jwrocker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 10 November 2006 - 01:00 AM

Ok That worked!

As far as how the PC is running... Fine I guess. Perhaps a bit slow, I just upgraded to 1.26 gigs of ram and I think that it is a bit slower than when I first installed it.

infected Object Name Virus Name Last Action
C:\!KillBox\455f15e.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\!KillBox\455f15e.exe( 1) Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\cert8.db Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\history.dat Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\key3.db Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\parent.lock Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Application Data\winantiviruspro2006freeinstall[1].exe Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\Documents and Settings\Benjamin Larochelle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\15aab1f6.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\84547cf6.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\d63fe8f6.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\Mozilla\Firefox\Profiles\2byp80ld.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\History\History.IE5\MSHist012006110920061110\index.dat Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Temp\Perflib_Perfdata_8d8.dat Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Temp\~DFC03D.tmp Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Benjamin Larochelle\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Benjamin Larochelle.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Benjamin Larochelle.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Benjamin Larochelle.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP38\A0006555.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP39\A0006611.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP39\A0006628.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP40\A0006725.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP40\A0006751.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP40\A0006771.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP40\A0006790.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP42\A0006852.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP42\A0006876.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP42\A0006895.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP42\A0006908.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP43\A0006925.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP43\A0006937.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP44\A0006967.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP45\A0006993.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP45\A0007012.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP45\A0007031.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP45\A0007050.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP45\A0007068.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP45\A0007084.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP46\A0007122.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007288.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007338.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007352.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007368.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007370.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007382.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007384.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP50\A0007461.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP51\A0007481.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP51\A0007486.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP51\A0007498.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP51\A0007515.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP51\A0007517.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP51\A0007534.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP52\A0007554.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP52\A0007633.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP52\A0007650.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP52\A0007672.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP52\A0007687.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP53\A0007713.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007741.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007742.tlb Infected: Trojan-Downloader.Win32.Zlob.yi skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007749.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007751.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007762.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007763.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007766.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007795.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007796.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007798.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007815.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007816.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007818.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP54\A0007823.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007865.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007866.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007868.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007886.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007887.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007889.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007891.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007905.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007906.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP55\A0007908.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007928.exe Infected: Trojan-Downloader.Win32.Zlob.yr skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007932.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007938.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007941.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007944.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007958.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007959.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007961.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007972.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007973.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007975.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007978.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007995.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007996.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0007998.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0008015.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0008016.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0008018.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0008056.dll Infected: not-virus:Hoax.Win32.Renos.es skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0008065.exe Infected: Trojan-Downloader.Win32.Zlob.yg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0008072.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0008075.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0009071.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0009104.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP56\A0009108.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP57\A0009126.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP57\A0009131.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP58\A0009164.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP59\A0009195.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP59\A0009230.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP59\A0009273.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP60\A0009374.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP60\A0009380.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP60\A0009391.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP60\A0009407.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP60\A0009409.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP60\A0009428.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP60\A0009459.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP61\A0009494.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP61\A0009499.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP62\A0009521.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP62\A0009537.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP62\A0009571.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP62\A0009577.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP64\A0009991.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP64\A0009996.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP64\A0010015.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP64\A0010031.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP65\A0010221.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP65\A0010235.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP65\A0010253.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP67\A0010298.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP67\A0010303.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP68\A0010323.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP69\A0011323.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP69\A0011335.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP69\A0011340.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP69\A0011348.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP69\A0011350.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP69\A0011360.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP69\A0011365.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP70\A0011378.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP70\A0011396.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP71\A0011409.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP71\A0012409.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP71\A0012414.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP71\A0012422.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP71\A0013439.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP71\A0013450.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP72\A0013473.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP72\A0013484.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP72\A0013489.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP72\A0013498.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP72\A0013503.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP72\A0013512.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP73\A0013550.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP73\A0013553.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013631.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013642.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013643.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013644.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013646.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013662.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013663.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013664.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013666.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013709.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013710.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013711.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013713.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013723.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013724.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013725.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013726.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013747.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013748.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013749.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013765.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013766.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP74\A0013767.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013780.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013781.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013782.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013798.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013799.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013800.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013814.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013815.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013816.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013822.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013830.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013831.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013832.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013845.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013846.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP75\A0013847.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013869.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013870.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013871.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013877.exe Infected: Trojan-Downloader.Win32.Agent.avm skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013891.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013892.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013893.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013909.dll Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013910.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013911.dll Infected: Trojan-Downloader.Win32.Zlob.aju skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013912.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013913.exe Infected: Trojan-Downloader.Win32.Zlob.aka skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013914.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013916.exe Infected: not-virus:Hoax.Win32.Renos.fh skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013919.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013920.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013921.dll Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013922.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013923.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013924.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013926.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013927.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013928.exe Infected: Trojan-Downloader.Win32.Zlob.atg skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013940.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013958.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013976.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP76\A0013986.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\System Volume Information\_restore{8A2FF72E-925C-4693-95A8-CFACA1846F05}\RP77\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS2218.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS2218.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS2218.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS2218.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped
C:\WINDOWS\Prefetch\Layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.




Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:39 AM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Benjamin Larochelle\My Documents\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Edited by jwrocker, 10 November 2006 - 01:04 AM.


#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:06 PM

Posted 12 November 2006 - 03:47 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please delete these files/folders:

C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\15aab1f6.exe
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\84547cf6.exe
C:\Documents and Settings\Benjamin Larochelle\Local Settings\Application Data\d63fe8f6.exe
C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.4

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Please reboot back to normal mode.

Go to start > run and type regsvr32 occache.dll

We need to purge your infected system restore points.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Now, we want to create a new, clean restore point.
Please first reboot your computer.
Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create and you're done.

Now how is the PC running.
I see a clean log here! :thumbsup:

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:06 PM

Posted 18 November 2006 - 06:12 PM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users