Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Renos And Spysheriff


  • This topic is locked This topic is locked
33 replies to this topic

#1 NickWagner

NickWagner

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 18 January 2007 - 01:49 PM

Windows Defender locates Renos and says that it removes it, but it always returns. Symantec locates SpySheriff and the same thing happens. I've used SpyBot, Ad-Aware, and AVG Anti-spyware. I also ran the SmithFraudFix a half dozen times without success. I think I've followed all the steps in Preparation Guide for use before posting a HijackThis Log, which led me to this step. The hijackthis log is below. Thank you for your help with this.

Logfile of HijackThis v1.99.1
Scan saved at 10:03:03 AM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Nick\us22.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\KEYWAL~1\KWallet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Nick\My Documents\My Downloads\stng260.exe
C:\Documents and Settings\Nick\Desktop\Morning start\tclocklight-040702-3\tclock.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\Nick\My Documents\My Downloads\zlsSetup_70_302_000_en.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\GLBDC9.tmp
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Documents and Settings\Nick\My Documents\My Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [12_06 EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P29 "12_06 EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [KeyWallet] C:\PROGRA~1\KEYWAL~1\KWallet.exe
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: EvtEng - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 AM

Posted 18 January 2007 - 02:10 PM

Hello Nick,

I am SifuMike and I will be helping you. :thumbsup:

Did you run AVG Anti-spyware in the Safe Mode?

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



If not, then please do so. :flowers:


Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. :huh:

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

**************


Let's see what Smitfruadfix is finding.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by SifuMike, 18 January 2007 - 02:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 18 January 2007 - 04:49 PM

Hi Mike, thanks for getting back to me so quickly. Do I need to run BitDefender in Safe Mode as well? --Nick

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 AM

Posted 18 January 2007 - 04:59 PM

Hi Nick,

No, run BitDefender in the Normal Mode. :thumbsup:

And run SmitfraudFix in the Normal Mode.

Edited by SifuMike, 18 January 2007 - 05:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 19 January 2007 - 12:22 AM

Okay, I ran AVG in safe mode and the BitDefender and SmithFraudFix reports are pasted below. Thanks.



BitDefender Online Scanner







Scan report generated at: Thu, Jan 18, 2007 - 20:24:05









Scan path: C:\;D:\;















Statistics

Time


02:02:49

Files


787864

Folders


11207

Boot Sectors


2

Archives


14056

Packed Files


68718







Results

Identified Viruses


2

Infected Files


2

Suspect Files


1

Warnings


0

Disinfected


0

Deleted Files


3







Engines Info

Virus Definitions


381234

Engine build


AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Nick\.housecall6.6\Quarantine\vaxsetup.731.exe.bac_a04512=>(Quarantine-4)=>(NSIS o)


Infected with: Trojan.Downloader.Zlob.JU

C:\Documents and Settings\Nick\.housecall6.6\Quarantine\vaxsetup.731.exe.bac_a04512=>(Quarantine-4)=>(NSIS o)


Disinfection failed

C:\Documents and Settings\Nick\.housecall6.6\Quarantine\vaxsetup.731.exe.bac_a04512=>(Quarantine-4)=>(NSIS o)


Deleted

C:\Documents and Settings\Nick\.housecall6.6\Quarantine\vaxsetup.731.exe.bac_a04512=>(Quarantine-4)


Update failed

C:\System Volume Information\_restore{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP876\A0141968.exe


Suspected of: Trojan.Downloader.Gen

C:\System Volume Information\_restore{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP876\A0141968.exe


Disinfection failed

C:\System Volume Information\_restore{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP876\A0141968.exe


Deleted

C:\System Volume Information\_restore{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP877\A0143060.dll


Infected with: DeepScan:Generic.Zlob.CDAAE811

C:\System Volume Information\_restore{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP877\A0143060.dll


Disinfection failed

C:\System Volume Information\_restore{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP877\A0143060.dll


Deleted

****************************************************************

SmitFraudFix v2.132

Scan done at 21:15:44.08, Thu 01/18/2007
Run from C:\PROGRA~1\MOZILL~1\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Nick


C:\Documents and Settings\Nick\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 AM

Posted 19 January 2007 - 12:02 PM

Hi Nick,

Let's dig deeper. :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not proceed with the rest of the fix if you fail to run combofix
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 19 January 2007 - 12:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 19 January 2007 - 06:15 PM

Sorry I didn't get this up sooner. It's been a hectic day.

"Nick" - 07-01-19 15:07:43 Service Pack 2
ComboFix 07-01-18 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2006-12-19 to 2007-01-19 ))))))))))))))))))))))))))))))))))


2007-01-19 10:47 56,912 --a------ C:\DOCUME~1\Nick\g2mdlhlpx.exe
2007-01-19 10:47 <DIR> d-------- C:\Program Files\Citrix
2007-01-19 05:42 23,552 --a------ C:\WINDOWS\system32\us22.exe
2007-01-19 05:42 <DIR> d-------- C:\DOCUME~1\Nick\Application Data\ultra
2007-01-18 21:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-18 21:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-18 21:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-18 21:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-18 21:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-18 21:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-18 10:02 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-01-18 10:02 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-18 10:02 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-01-18 10:02 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-01-18 09:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-01-17 22:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-17 15:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-17 13:17 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-17 13:16 <DIR> d-------- C:\DOCUME~1\Nick\.housecall6.6
2007-01-17 07:14 17,920 --a------ C:\DOCUME~1\Nick\Application Data\xlibgfl254.dll
2007-01-16 20:32 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-16 20:32 <DIR> d-------- C:\Program Files\Grisoft
2007-01-16 20:29 <DIR> d-------- C:\Program Files\Folder Guide
2007-01-16 08:26 21,425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-01-16 08:24 <DIR> d-------- C:\Intel
2007-01-15 15:57 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2007-01-15 15:57 3,712 --a------ C:\WINDOWS\system32\drivers\LBeepKE.sys
2007-01-15 15:57 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2007-01-15 15:57 131,072 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-01-15 15:57 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-01-14 22:22 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-14 22:22 <DIR> d-------- C:\WINDOWS\system32\skins
2007-01-14 22:18 <DIR> d-------- C:\Program Files\TrueLaunchBar
2007-01-14 22:12 <DIR> d-------- C:\DOCUME~1\Nick\Application Data\U3
2007-01-14 20:38 23,040 --a------ C:\DOCUME~1\Nick\furhmggk.exe
2007-01-14 20:17 <DIR> d-------- C:\bluetooth_temp.tos
2007-01-14 20:09 <DIR> d-------- C:\3m200v18
2007-01-14 19:27 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2007-01-14 19:27 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2007-01-14 19:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-01-13 07:49 <DIR> d-------- C:\Program Files\JelloDashboard
2007-01-12 21:22 23,040 --a------ C:\DOCUME~1\Nick\yjwnfwlk.exe
2007-01-12 08:58 23,040 --a------ C:\DOCUME~1\Nick\rcuqvamd.exe
2007-01-11 17:24 23,040 --a------ C:\DOCUME~1\Nick\nkjirkln.exe
2007-01-09 08:15 22,528 --a------ C:\DOCUME~1\Nick\tquznwyh.exe
2007-01-09 08:07 22,528 --a------ C:\DOCUME~1\Nick\dxvusxee.exe
2007-01-09 08:07 18,432 --a------ C:\WINDOWS\system32\xlibgfl254.dll
2007-01-08 20:59 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-08 20:40 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-01-08 20:40 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-08 20:39 <DIR> d-------- C:\Program Files\Symantec
2007-01-08 20:38 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-01-08 20:38 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-08 20:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2007-01-03 08:50 <DIR> d-------- C:\Program Files\MozBackup
2006-12-29 14:53 <DIR> d-------- C:\DOCUME~1\Nick\Application Data\Dexpot
2006-12-29 12:15 <DIR> d-------- C:\Program Files\The Cleaner
2006-12-29 08:23 <DIR> d-------- C:\Program Files\Dexpot
2006-12-24 11:55 <DIR> d-------- C:\WINDOWS\CSC
2006-12-21 18:35 <DIR> d-------- C:\WINDOWS\system32\ultra
2006-12-19 16:52 <DIR> d-------- C:\Program Files\Genius 2000


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-19 15:07 -------- d-------- C:\Program Files\mozilla firefox
2007-01-19 15:00 -------- d-------- C:\DOCUME~1\Nick\Application Data\popfile
2007-01-19 14:43 -------- d-------- C:\DOCUME~1\Nick\Application Data\adobeum
2007-01-19 11:21 -------- d-------- C:\Program Files\trillian
2007-01-19 06:04 -------- d-------- C:\Program Files\emailer
2007-01-18 21:15 6968 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-18 10:14 -------- d-------- C:\DOCUME~1\Nick\Application Data\toshiba
2007-01-17 23:39 -------- d-------- C:\Program Files\windows journal
2007-01-17 23:39 -------- d-------- C:\Program Files\windows defender
2007-01-17 23:39 -------- d-------- C:\Program Files\vbtucopy
2007-01-17 23:39 -------- d-------- C:\Program Files\popfile
2007-01-17 23:39 -------- d-------- C:\Program Files\ltmoh
2007-01-17 23:39 -------- d-------- C:\Program Files\keywallet
2007-01-17 23:39 -------- d-------- C:\Program Files\autohotkey
2007-01-17 23:39 -------- d-------- C:\Program Files\apoint2k
2007-01-15 15:56 -------- d-------- C:\Program Files\Common Files\logitech
2007-01-14 20:28 -------- d-------- C:\Program Files\toshiba
2007-01-13 07:28 -------- d-------- C:\Program Files\sbc self support tool
2007-01-11 11:06 -------- d-------- C:\Program Files\yahoo!
2007-01-11 11:04 -------- d-------- C:\Program Files\Common Files\scanner
2007-01-08 20:30 -------- d-------- C:\Program Files\abacast
2007-01-08 20:02 -------- d-------- C:\Program Files\background boss
2007-01-06 10:14 -------- d-------- C:\Program Files\openoffice.org1.1.5
2006-12-23 11:25 38465 --a------ C:\DOCUME~1\Nick\Application Data\microsoft excel.adr
2006-12-23 07:33 -------- d-------- C:\Program Files\privoxy
2006-12-14 20:12 -------- d-------- C:\Program Files\clamwin
2006-12-09 11:05 -------- d-------- C:\Program Files\Common Files\motive
2006-12-09 11:04 -------- d-------- C:\Program Files\mailshell
2006-12-08 17:30 4096 --a------ C:\WINDOWS\system32\ntsystem.exe
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-30 12:19 -------- d-------- C:\Program Files\usps
2006-11-24 13:22 -------- d-------- C:\Program Files\wisdom-soft screenhunter plus
2006-11-21 07:21 -------- d-------- C:\Program Files\zabkat
2006-11-07 21:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 05:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-01 21:10 33 --a------ C:\DOCUME~1\Nick\Application Data\.googlewebacchosts


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"FolderShare"="\"C:\\Program Files\\FolderShare\\FolderShare.exe\" /background"
"KeyWallet"="C:\\PROGRA~1\\KEYWAL~1\\KWallet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"00THotkey"="C:\\WINDOWS\\system32\\00THotkey.exe"
"CrossMenu"="C:\\Program Files\\Toshiba\\CrossMenu\\CrossMenu.exe"
"TapButt"="C:\\Program Files\\Toshiba\\TapButton\\TapButt.exe"
"000StTHK"="000StTHK.exe"
"TAcelMgr"="C:\\Program Files\\TOSHIBA\\Acceleration Utilities\\TAcelMgr\\TAcelMgr.exe"
"TSkrMain"="C:\\Program Files\\TOSHIBA\\Acceleration Utilities\\Shaker\\TSkrMain.exe"
"TPSMain"="TPSMain.exe"
"TFNF5"="TFNF5.exe"
"TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"TMESRV.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon"
"TMERzCtl.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service"
"TosRotation"="\"C:\\Program Files\\TOSHIBA\\TOSHIBA Rotation Utility\\TRot.exe\""
"TAudEffect"="C:\\Program Files\\Toshiba\\TAudEffect\\TAudEff.exe /run"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"NDSTray.exe"="NDSTray.exe"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"Pinger"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe /run"
"TabletWizard"="C:\\WINDOWS\\help\\SplshWrp.exe"
"TabletTip"="\"C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume"
"ezShieldProtector for Px"="C:\\WINDOWS\\system32\\ezSP_Px.exe"
"VBTUCopy"="C:\\Program Files\\VBTUCopy\\VBTUCopy.exe /a /f"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"12_06 EPSON Stylus C86 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2R1.EXE /P29 \"12_06 EPSON Stylus C86 Series\" /O6 \"USB001\" /M \"Stylus C86\""
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"Logitech Hardware Abstraction Layer"="\"C:\\Program Files\\Common Files\\Logitech\\khalshared\\KHALMNPR.EXE\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"gwiz"="C:\\WINDOWS\\system32\\ntsystem.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"CFSServ.exe"="CFSServ.exe -NoClient"
@=""
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Bluetooth Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Bluetooth Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Toshiba\\BLUETO~1\\TosBtMng.exe "
"item"="Bluetooth Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 2000 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\CompuServe 2000 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\CompuServe 2000 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMPUS~2\\cstray.exe -check"
"item"="CompuServe 2000 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotKeys.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotKeys.lnk"
"backup"="C:\\WINDOWS\\pss\\HotKeys.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{19D50CD6-44B9-4011-9568-084840781C96}\\_69525f90.exe "
"item"="HotKeys"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacroMaker.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MacroMaker.lnk"
"backup"="C:\\WINDOWS\\pss\\MacroMaker.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{49E9E81A-9CA8-4A76-8AD6-BE7E3B2E1E2A}\\_18be6784.exe "
"item"="MacroMaker"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Privoxy.lnk"
"backup"="C:\\WINDOWS\\pss\\Privoxy.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Privoxy\\privoxy.exe "
"item"="Privoxy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SBC Self Support Tool.lnk"
"backup"="C:\\WINDOWS\\pss\\SBC Self Support Tool.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SBCSEL~1\\bin\\matcli.exe -boot"
"item"="SBC Self Support Tool"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Windows Desktop Search.lnk"
"backup"="C:\\WINDOWS\\pss\\Windows Desktop Search.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MSNTOO~1\\DS\\020500~1.111\\en-us\\bin\\WINDOW~3.EXE /startup"
"item"="Windows Desktop Search"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
"path"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\Desktop Application Director 9.LNK"
"backup"="C:\\WINDOWS\\pss\\Desktop Application Director 9.LNKStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Corel\\WORDPE~1\\programs\\dad9.exe "
"item"="Desktop Application Director 9"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVRID"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DragDrop"
"hkey"="HKLM"
"command"="C:\\Program Files\\Drag'n Drop CD+DVD\\BinFiles\\DragDrop.exe /StartUp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZCfgSvc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyWallet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KWallet"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\KEYWAL~1\\KWallet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RoboTaskBarIcon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snippet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SnippingTool"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Experience Pack\\Snipping Tool\\SnippingTool.exe\" /i"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yop"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TabletWizard"=hex(2):25,77,69,6e,64,69,72,25,5c,68,65,6c,70,5c,77,69,7a,61,72,\
64,2e,68,74,61,00
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"TabletWizard"=hex(2):25,77,69,6e,64,69,72,25,5c,68,65,6c,70,5c,77,69,7a,61,72,\
64,2e,68,74,61,00
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ {80E95280-2D38-3CB8-A215-FB5F14C4343E}

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll, xlibgfl254.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\SyncBack Weekly backup.job

Completion time: 07-01-19 15:12:34

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 AM

Posted 19 January 2007 - 06:36 PM

Hi Nick,

You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files. <== IMPORTANT

Go to Jotti Online File Scanner copy and paste C:\WINDOWS\system32\us22.exe to the upload and scan it.

Do the same procedure with these files:
C:\DOCUME~1\Nick\Application Data\xlibgfl254.dll
C:\DOCUME~1\Nick\yjwnfwlk.exe
C:\DOCUME~1\Nick\rcuqvamd.exe
C:\DOCUME~1\Nick\nkjirkln.exe
C:\DOCUME~1\Nick\tquznwyh.exe
C:\DOCUME~1\Nick\dxvusxee.exe
C:\WINDOWS\system32\xlibgfl254.dll


Let me know the results.
Copy and paste the outputs to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)



Also, please post a fresh Hijackthis log.

Edited by SifuMike, 19 January 2007 - 06:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 19 January 2007 - 07:23 PM

Sorry I didn't get this up sooner. It's been a hectic day.

"Nick" - 07-01-19 15:07:43 Service Pack 2
ComboFix 07-01-18 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2006-12-19 to 2007-01-19 ))))))))))))))))))))))))))))))))))


2007-01-19 10:47 56,912 --a------ C:\DOCUME~1\Nick\g2mdlhlpx.exe
2007-01-19 10:47 <DIR> d-------- C:\Program Files\Citrix
2007-01-19 05:42 23,552 --a------ C:\WINDOWS\system32\us22.exe
2007-01-19 05:42 <DIR> d-------- C:\DOCUME~1\Nick\Application Data\ultra
2007-01-18 21:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-18 21:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-18 21:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-18 21:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-18 21:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-18 21:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-18 10:02 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-01-18 10:02 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-18 10:02 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-01-18 10:02 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-01-18 09:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-01-17 22:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-17 15:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-17 13:17 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-17 13:16 <DIR> d-------- C:\DOCUME~1\Nick\.housecall6.6
2007-01-17 07:14 17,920 --a------ C:\DOCUME~1\Nick\Application Data\xlibgfl254.dll
2007-01-16 20:32 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-16 20:32 <DIR> d-------- C:\Program Files\Grisoft
2007-01-16 20:29 <DIR> d-------- C:\Program Files\Folder Guide
2007-01-16 08:26 21,425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-01-16 08:24 <DIR> d-------- C:\Intel
2007-01-15 15:57 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2007-01-15 15:57 3,712 --a------ C:\WINDOWS\system32\drivers\LBeepKE.sys
2007-01-15 15:57 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2007-01-15 15:57 131,072 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-01-15 15:57 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-01-14 22:22 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-14 22:22 <DIR> d-------- C:\WINDOWS\system32\skins
2007-01-14 22:18 <DIR> d-------- C:\Program Files\TrueLaunchBar
2007-01-14 22:12 <DIR> d-------- C:\DOCUME~1\Nick\Application Data\U3
2007-01-14 20:38 23,040 --a------ C:\DOCUME~1\Nick\furhmggk.exe
2007-01-14 20:17 <DIR> d-------- C:\bluetooth_temp.tos
2007-01-14 20:09 <DIR> d-------- C:\3m200v18
2007-01-14 19:27 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2007-01-14 19:27 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2007-01-14 19:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-01-13 07:49 <DIR> d-------- C:\Program Files\JelloDashboard
2007-01-12 21:22 23,040 --a------ C:\DOCUME~1\Nick\yjwnfwlk.exe
2007-01-12 08:58 23,040 --a------ C:\DOCUME~1\Nick\rcuqvamd.exe
2007-01-11 17:24 23,040 --a------ C:\DOCUME~1\Nick\nkjirkln.exe
2007-01-09 08:15 22,528 --a------ C:\DOCUME~1\Nick\tquznwyh.exe
2007-01-09 08:07 22,528 --a------ C:\DOCUME~1\Nick\dxvusxee.exe
2007-01-09 08:07 18,432 --a------ C:\WINDOWS\system32\xlibgfl254.dll
2007-01-08 20:59 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-08 20:40 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-01-08 20:40 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-08 20:39 <DIR> d-------- C:\Program Files\Symantec
2007-01-08 20:38 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-01-08 20:38 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-08 20:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2007-01-03 08:50 <DIR> d-------- C:\Program Files\MozBackup
2006-12-29 14:53 <DIR> d-------- C:\DOCUME~1\Nick\Application Data\Dexpot
2006-12-29 12:15 <DIR> d-------- C:\Program Files\The Cleaner
2006-12-29 08:23 <DIR> d-------- C:\Program Files\Dexpot
2006-12-24 11:55 <DIR> d-------- C:\WINDOWS\CSC
2006-12-21 18:35 <DIR> d-------- C:\WINDOWS\system32\ultra
2006-12-19 16:52 <DIR> d-------- C:\Program Files\Genius 2000


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-19 15:07 -------- d-------- C:\Program Files\mozilla firefox
2007-01-19 15:00 -------- d-------- C:\DOCUME~1\Nick\Application Data\popfile
2007-01-19 14:43 -------- d-------- C:\DOCUME~1\Nick\Application Data\adobeum
2007-01-19 11:21 -------- d-------- C:\Program Files\trillian
2007-01-19 06:04 -------- d-------- C:\Program Files\emailer
2007-01-18 21:15 6968 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-18 10:14 -------- d-------- C:\DOCUME~1\Nick\Application Data\toshiba
2007-01-17 23:39 -------- d-------- C:\Program Files\windows journal
2007-01-17 23:39 -------- d-------- C:\Program Files\windows defender
2007-01-17 23:39 -------- d-------- C:\Program Files\vbtucopy
2007-01-17 23:39 -------- d-------- C:\Program Files\popfile
2007-01-17 23:39 -------- d-------- C:\Program Files\ltmoh
2007-01-17 23:39 -------- d-------- C:\Program Files\keywallet
2007-01-17 23:39 -------- d-------- C:\Program Files\autohotkey
2007-01-17 23:39 -------- d-------- C:\Program Files\apoint2k
2007-01-15 15:56 -------- d-------- C:\Program Files\Common Files\logitech
2007-01-14 20:28 -------- d-------- C:\Program Files\toshiba
2007-01-13 07:28 -------- d-------- C:\Program Files\sbc self support tool
2007-01-11 11:06 -------- d-------- C:\Program Files\yahoo!
2007-01-11 11:04 -------- d-------- C:\Program Files\Common Files\scanner
2007-01-08 20:30 -------- d-------- C:\Program Files\abacast
2007-01-08 20:02 -------- d-------- C:\Program Files\background boss
2007-01-06 10:14 -------- d-------- C:\Program Files\openoffice.org1.1.5
2006-12-23 11:25 38465 --a------ C:\DOCUME~1\Nick\Application Data\microsoft excel.adr
2006-12-23 07:33 -------- d-------- C:\Program Files\privoxy
2006-12-14 20:12 -------- d-------- C:\Program Files\clamwin
2006-12-09 11:05 -------- d-------- C:\Program Files\Common Files\motive
2006-12-09 11:04 -------- d-------- C:\Program Files\mailshell
2006-12-08 17:30 4096 --a------ C:\WINDOWS\system32\ntsystem.exe
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-30 12:19 -------- d-------- C:\Program Files\usps
2006-11-24 13:22 -------- d-------- C:\Program Files\wisdom-soft screenhunter plus
2006-11-21 07:21 -------- d-------- C:\Program Files\zabkat
2006-11-07 21:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 05:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-01 21:10 33 --a------ C:\DOCUME~1\Nick\Application Data\.googlewebacchosts


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"FolderShare"="\"C:\\Program Files\\FolderShare\\FolderShare.exe\" /background"
"KeyWallet"="C:\\PROGRA~1\\KEYWAL~1\\KWallet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"00THotkey"="C:\\WINDOWS\\system32\\00THotkey.exe"
"CrossMenu"="C:\\Program Files\\Toshiba\\CrossMenu\\CrossMenu.exe"
"TapButt"="C:\\Program Files\\Toshiba\\TapButton\\TapButt.exe"
"000StTHK"="000StTHK.exe"
"TAcelMgr"="C:\\Program Files\\TOSHIBA\\Acceleration Utilities\\TAcelMgr\\TAcelMgr.exe"
"TSkrMain"="C:\\Program Files\\TOSHIBA\\Acceleration Utilities\\Shaker\\TSkrMain.exe"
"TPSMain"="TPSMain.exe"
"TFNF5"="TFNF5.exe"
"TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"TMESRV.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon"
"TMERzCtl.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service"
"TosRotation"="\"C:\\Program Files\\TOSHIBA\\TOSHIBA Rotation Utility\\TRot.exe\""
"TAudEffect"="C:\\Program Files\\Toshiba\\TAudEffect\\TAudEff.exe /run"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"NDSTray.exe"="NDSTray.exe"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"Pinger"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe /run"
"TabletWizard"="C:\\WINDOWS\\help\\SplshWrp.exe"
"TabletTip"="\"C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume"
"ezShieldProtector for Px"="C:\\WINDOWS\\system32\\ezSP_Px.exe"
"VBTUCopy"="C:\\Program Files\\VBTUCopy\\VBTUCopy.exe /a /f"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"12_06 EPSON Stylus C86 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2R1.EXE /P29 \"12_06 EPSON Stylus C86 Series\" /O6 \"USB001\" /M \"Stylus C86\""
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"Logitech Hardware Abstraction Layer"="\"C:\\Program Files\\Common Files\\Logitech\\khalshared\\KHALMNPR.EXE\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"gwiz"="C:\\WINDOWS\\system32\\ntsystem.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"CFSServ.exe"="CFSServ.exe -NoClient"
@=""
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Bluetooth Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Bluetooth Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Toshiba\\BLUETO~1\\TosBtMng.exe "
"item"="Bluetooth Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 2000 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\CompuServe 2000 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\CompuServe 2000 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMPUS~2\\cstray.exe -check"
"item"="CompuServe 2000 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotKeys.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotKeys.lnk"
"backup"="C:\\WINDOWS\\pss\\HotKeys.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{19D50CD6-44B9-4011-9568-084840781C96}\\_69525f90.exe "
"item"="HotKeys"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacroMaker.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MacroMaker.lnk"
"backup"="C:\\WINDOWS\\pss\\MacroMaker.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{49E9E81A-9CA8-4A76-8AD6-BE7E3B2E1E2A}\\_18be6784.exe "
"item"="MacroMaker"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Privoxy.lnk"
"backup"="C:\\WINDOWS\\pss\\Privoxy.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Privoxy\\privoxy.exe "
"item"="Privoxy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SBC Self Support Tool.lnk"
"backup"="C:\\WINDOWS\\pss\\SBC Self Support Tool.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SBCSEL~1\\bin\\matcli.exe -boot"
"item"="SBC Self Support Tool"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Windows Desktop Search.lnk"
"backup"="C:\\WINDOWS\\pss\\Windows Desktop Search.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MSNTOO~1\\DS\\020500~1.111\\en-us\\bin\\WINDOW~3.EXE /startup"
"item"="Windows Desktop Search"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
"path"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\Desktop Application Director 9.LNK"
"backup"="C:\\WINDOWS\\pss\\Desktop Application Director 9.LNKStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Corel\\WORDPE~1\\programs\\dad9.exe "
"item"="Desktop Application Director 9"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="C:\\Documents and Settings\\Nick\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVRID"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DragDrop"
"hkey"="HKLM"
"command"="C:\\Program Files\\Drag'n Drop CD+DVD\\BinFiles\\DragDrop.exe /StartUp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZCfgSvc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyWallet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KWallet"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\KEYWAL~1\\KWallet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RoboTaskBarIcon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snippet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SnippingTool"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Experience Pack\\Snipping Tool\\SnippingTool.exe\" /i"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yop"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"TabletWizard"=hex(2):25,77,69,6e,64,69,72,25,5c,68,65,6c,70,5c,77,69,7a,61,72,\
64,2e,68,74,61,00
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"TabletWizard"=hex(2):25,77,69,6e,64,69,72,25,5c,68,65,6c,70,5c,77,69,7a,61,72,\
64,2e,68,74,61,00
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ {80E95280-2D38-3CB8-A215-FB5F14C4343E}

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll, xlibgfl254.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\SyncBack Weekly backup.job

Completion time: 07-01-19 15:12:34

#10 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 19 January 2007 - 07:24 PM

Here are the results:

C:\WINDOWS\system32\us22.exe
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

C:\DOCUME~1\Nick\Application Data\xlibgfl254.dll
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found DLOADER.Trojan (probable variant)
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

C:\DOCUME~1\Nick\yjwnfwlk.exe
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Trojan.MulDrop.5374
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

C:\DOCUME~1\Nick\rcuqvamd.exe
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Trojan.MulDrop.5374
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

C:\DOCUME~1\Nick\nkjirkln.exe
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Trojan.MulDrop.5374
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

C:\DOCUME~1\Nick\tquznwyh.exe
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

C:\DOCUME~1\Nick\dxvusxee.exe
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

C:\WINDOWS\system32\xlibgfl254.dll
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found DLOADER.Trojan (probable variant)
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found Downloader.Small.79 (paranoid heuristics) (probable variant)

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 AM

Posted 19 January 2007 - 07:30 PM

Hi Nick,

Opps! You posted a ComboFix log.:thumbsup: I need to see a fresh Hijackthis log please. :flowers:

Edited by SifuMike, 19 January 2007 - 07:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 19 January 2007 - 08:39 PM

Sorry about that. Here is the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 5:36:02 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\KEYWAL~1\KWallet.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Nick\Desktop\Morning start\tclocklight-040702-3\tclock.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
C:\Documents and Settings\Nick\My Documents\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [12_06 EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P29 "12_06 EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [KeyWallet] C:\PROGRA~1\KEYWAL~1\KWallet.exe
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: EvtEng - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#13 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 19 January 2007 - 08:40 PM

After I posted HiJackThis, I realized I ran the scan with Symantec on. I don't know if it matters, but here is a scan with Symantec off.

Logfile of HijackThis v1.99.1
Scan saved at 5:38:46 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\KEYWAL~1\KWallet.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Nick\Desktop\Morning start\tclocklight-040702-3\tclock.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Nick\My Documents\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [12_06 EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P29 "12_06 EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [KeyWallet] C:\PROGRA~1\KEYWAL~1\KWallet.exe
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: EvtEng - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 AM

Posted 19 January 2007 - 09:45 PM

Hi Nick,

This computer is quite a mess.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\us22.exe <==file
C:\DOCUME~1\Nick\Application Data\xlibgfl254.dll <==file
C:\DOCUME~1\Nick\yjwnfwlk.exe <==file
C:\DOCUME~1\Nick\rcuqvamd.exe <==file
C:\DOCUME~1\Nick\nkjirkln.exe <==file
C:\DOCUME~1\Nick\tquznwyh.exe <==file
C:\DOCUME~1\Nick\dxvusxee.exe <==file
C:\WINDOWS\system32\xlibgfl254.dll <==file
C:\WINDOWS\system32\ntsystem.exe <==file



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode.

Download SUPERantispyware
  • Load SUPERantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log to this thread, post a new Hijackthis log, and tell me how your computer is running..

Edited by SifuMike, 19 January 2007 - 09:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 NickWagner

NickWagner
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 20 January 2007 - 01:44 PM

Hi Mike. Here are the logs.

You asked how the computer is working now. So far, neither Windows Defender nor Symantec has popped up showing any problems. Sometimes they don't show up for a while and then pop up later, but so far, so good.

Also, I don't know if it is related, but I've been having a little trouble rebooting the last few times. The computer shuts down and then begins to power back up, and stalls on a blank screen without loading Windows. Then I power it down manually and turn it on again. It comes back up with the option to start in safe mode. I choose the option to start normally, and then things seem fine from there.

SUPERAntiSpyware Scan Log
Generated 01/20/2007 at 10:12 AM

Application Version : 3.5.1016

Core Rules Database Version : 3168
Trace Rules Database Version: 1179

Scan type : Complete Scan
Total Scan Time : 00:58:05

Memory items scanned : 639
Memory threats detected : 0
Registry items scanned : 5809
Registry threats detected : 0
File items scanned : 38634
File threats detected : 4

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\NICK\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Windows Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP880\A0143249.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C74F877F-F337-4115-9A47-B71C0D9BB1C7}\RP880\A0143250.EXE

Trojan.NWFrame
C:\WINDOWS\SYSTEM32\NTSYSTEM.EXE


Logfile of HijackThis v1.99.1
Scan saved at 10:33:23 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\PROGRA~1\KEYWAL~1\KWallet.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
C:\Documents and Settings\Nick\My Documents\My Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [12_06 EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P29 "12_06 EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [KeyWallet] C:\PROGRA~1\KEYWAL~1\KWallet.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?da116aaaff98481992f543bb18c15990
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/Activ...iveXClient1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: EvtEng - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users