malware that keeps coming back

**lostcause** · 2006-06-26, 02:10

recently i have been getting pop up ads, those have stopped somewhat, but when i scan for malware, i cant delete any of the files that are "infected". here is my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:25:01 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\EzButton\EzButton.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\?icrosoft.NET\winspool.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\win2C5.tmp.exe
F:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8069A0FC-6A37-12BF-6DB1-64F3B9406FB7} - C:\WINDOWS\system32\cqi.dll (file missing)
O2 - BHO: (no name) - {CB1E231E-E884-C856-D65C-BF3EC52520B3} - C:\WINDOWS\system32\iemlkf.dll (file missing)
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe -m
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cc231b22.exe] C:\WINDOWS\system32\cc231b22.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Oidxulq] C:\Program Files\Common Files\?icrosoft.NET\winspool.exe
O4 - HKCU\..\Run: [Esrm] "C:\PROGRA~1\COMMON~1\WNSXS~1\spoolsv.exe" -vt ndrv
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Uypkh] C:\WINDOWS\system32\?ti2evxx.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [e04f2b69.exe] C:\Documents and Settings\Drew\Local Settings\Application Data\e04f2b69.exe
O4 - HKCU\..\Run: [Cool Desk] C:\Program Files\ShellToys\Cool Desk\Cdesk.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: downloads.emugp.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/insta...SSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1139636817546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: cbxvsqn - cbxvsqn.dll (file missing)
O20 - Winlogon Notify: mljijhf - mljijhf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**lostcause** · 2006-06-26, 02:16

also, whenever i go onto the internet, it freezes, mouse and everything and i doesnt matter how long i wait, it stays frozen. thx for any help possible!

**little eagle** · 2006-06-26, 03:16

Download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.

Then post a new hijackthis log.

**lostcause** · 2006-06-26, 03:33

i ran vundo but it said that nothing was found. here is the log file again though:

Logfile of HijackThis v1.99.1
Scan saved at 6:31:32 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\?icrosoft.NET\winspool.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\a-squared\a2start.exe
C:\Program Files\a-squared\a2scan.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\TEMP\win2C5.tmp.exe
F:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8069A0FC-6A37-12BF-6DB1-64F3B9406FB7} - C:\WINDOWS\system32\cqi.dll (file missing)
O2 - BHO: (no name) - {CB1E231E-E884-C856-D65C-BF3EC52520B3} - C:\WINDOWS\system32\iemlkf.dll (file missing)
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Oidxulq] C:\Program Files\Common Files\?icrosoft.NET\winspool.exe
O4 - HKCU\..\Run: [Esrm] "C:\PROGRA~1\COMMON~1\WNSXS~1\spoolsv.exe" -vt ndrv
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Uypkh] C:\WINDOWS\system32\?ti2evxx.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: downloads.emugp.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/insta...SSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1139636817546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: cbxvsqn - cbxvsqn.dll (file missing)
O20 - Winlogon Notify: mljijhf - mljijhf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**little eagle** · 2006-06-26, 03:49

Close all Browser and Program Windows and have HijackThis fix the following.
Do this by checking the box beside each and then clicking on Fix checked.

O2 - BHO: (no name) - {8069A0FC-6A37-12BF-6DB1-64F3B9406FB7} - C:\WINDOWS\system32\cqi.dll (file missing)
O2 - BHO: (no name) - {CB1E231E-E884-C856-D65C-BF3EC52520B3} - C:\WINDOWS\system32\iemlkf.dll (file missing)
O20 - Winlogon Notify: cbxvsqn - cbxvsqn.dll (file missing)
O20 - Winlogon Notify: mljijhf - mljijhf.dll (file missing)
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll

Reboot in safe mode, instructions here.
Some of these files my have hidden atributes.
Click Here Should you need instructions for Showing hidden files and folders in Windows.
Once in safe mode, Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file right click then select delete.

Delete the following file(s) listed in bold.
C:\WINDOWS\SYSTEM32\winrkq32.dll

Download and run - ATF Cleaner instructions here.

Rescan with HJT and post a new log here.
Also please describe how your computer behaves at the moment

**lostcause** · 2006-06-26, 04:44

well i couldnt find the winrkq32 in safe mode, (explorer or searching) but i went through with the rest of the things, including ATF-cleaner. as of right now, my computer doesnt freeeze when i go online, but any more help cleaning the rest of my computer would be appreciated!
new logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:38:05 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\?icrosoft.NET\winspool.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe
F:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Oidxulq] C:\Program Files\Common Files\?icrosoft.NET\winspool.exe
O4 - HKCU\..\Run: [Esrm] "C:\PROGRA~1\COMMON~1\WNSXS~1\spoolsv.exe" -vt ndrv
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Uypkh] C:\WINDOWS\system32\?ti2evxx.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: downloads.emugp.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/insta...SSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1139636817546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**lostcause** · 2006-06-26, 04:48

take that back. my computer froze, except i can stil use the mouse. it froze after trying to exit out of firefox. i cant even get the taskmanager to come up :(

**little eagle** · 2006-06-26, 05:30

For now remove a-squared in add and remove programs.

Run SpySweeper
# Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
# Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
# When the sweep has finished, click Remove. Click Select All and then Next
# From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
# Exit Spy Sweeper.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Copy and paste that information from Kapersky in your next reply with the results from SpySweeper

**lostcause** · 2006-06-26, 09:35

yay! for the scan it didnt freeze, her is kaspersky file:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, June 26, 2006 12:32:48 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 26/06/2006
Kaspersky Anti-Virus database records: 190607
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 96363
Number of viruses found: 13
Number of infected objects: 42
Number of suspicious objects: 7
Duration of the scan process: 01:58:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloadAcceleratorPlus.zip/RestartApp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloadAcceleratorPlus.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Drew\Desktop\!Random!\V3 games\Motorola V Razr(Apps, Games, Themes, Rings) Complete\Moto Razr Complete\Games\NFL 2005 [v3 Razr]\NFL 2005 v3.jar/sheet_btackle.png Suspicious: Exploit.Win32.MS05-009 skipped
C:\Documents and Settings\Drew\Desktop\!Random!\V3 games\Motorola V Razr(Apps, Games, Themes, Rings) Complete\Moto Razr Complete\Games\NFL 2005 [v3 Razr]\NFL 2005 v3.jar/sheet_ftackle.png Suspicious: Exploit.Win32.MS05-009 skipped
C:\Documents and Settings\Drew\Desktop\!Random!\V3 games\Motorola V Razr(Apps, Games, Themes, Rings) Complete\Moto Razr Complete\Games\NFL 2005 [v3 Razr]\NFL 2005 v3.jar/sheet_lockup.png Suspicious: Exploit.Win32.MS05-009 skipped
C:\Documents and Settings\Drew\Desktop\!Random!\V3 games\Motorola V Razr(Apps, Games, Themes, Rings) Complete\Moto Razr Complete\Games\NFL 2005 [v3 Razr]\NFL 2005 v3.jar/sheet_run.png Suspicious: Exploit.Win32.MS05-009 skipped
C:\Documents and Settings\Drew\Desktop\!Random!\V3 games\Motorola V Razr(Apps, Games, Themes, Rings) Complete\Moto Razr Complete\Games\NFL 2005 [v3 Razr]\NFL 2005 v3.jar ZIP: suspicious - 4 skipped
C:\Documents and Settings\Drew\Local Settings\Temp\svrhost.exe Infected: Trojan.Win32.Pakes skipped
C:\Documents and Settings\Drew\Local Settings\Temp\svshost.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\Documents and Settings\Drew\Local Settings\Temp\svshost.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Drew\Local Settings\Temp\winAE.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\Documents and Settings\Drew\Local Settings\Temp\winAE.tmp.exe NSIS: infected - 1 skipped
C:\Program Files\a-squared Anti-Malware\Quarantine\da86c65968a7d48cad9af7b1e582f1eb.a2q/WINDOWS/TEMP/win245.tmp.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\Program Files\a-squared Anti-Malware\Quarantine\da86c65968a7d48cad9af7b1e582f1eb.a2q ZIP: infected - 1 skipped
C:\Program Files\Common Files\Y1123OA.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\Program Files\Cowabanga\Cowabanga.exe Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP202\A0051231.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP202\A0051320.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP202\A0052316.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP202\A0053316.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP202\A0053395.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP203\A0053535.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP203\A0053561.exe Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP203\A0053588.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP203\A0054586.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP203\A0055587.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0055906.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0056834.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0056844.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0057941.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0058011.exe Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0058173.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0059098.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP204\A0059198.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP206\A0059443.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP211\A0059537.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP212\A0059697.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP212\A0059698.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP212\A0059699.exe Infected: Trojan-Downloader.Win32.Zlob.jc skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP212\A0060536.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP215\A0060801.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP215\A0060810.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP215\A0060814.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP215\A0060880.exe Infected: Trojan-Downloader.Win32.Zlob.up skipped
C:\System Volume Information\_restore{6A121D5F-8930-4849-829A-4FDAB23EA899}\RP215\A0070084.dll Infected: Trojan.Win32.Agent.vg skipped
C:\WINDOWS\system32\1024\ld15EB.tmp Infected: not-virus:Hoax.Win32.Renos.dv skipped
C:\WINDOWS\system32\ld101.tmp Infected: Trojan-Downloader.Win32.Zlob.va skipped
C:\WINDOWS\system32\regperf.exe Infected: Trojan-Downloader.Win32.Zlob.va skipped
C:\WINDOWS\system32\simpole.tlb Infected: Trojan-Downloader.Win32.Zlob.uu skipped

Scan process completed.

here is spsweep results:

********
9:36 PM: | Start of Session, Sunday, June 25, 2006 |
9:36 PM: Spy Sweeper started
9:36 PM: Sweep initiated using definitions version 706
9:36 PM: Starting Memory Sweep
9:44 PM: Memory Sweep Complete, Elapsed Time: 00:08:17
9:44 PM: Starting Registry Sweep
9:44 PM: Found Trojan Horse: trojan agent winlogonhook
9:44 PM: HKLM\software\microsoft\mssmgr\ (9 subtraces) (ID = 937101)
9:44 PM: Registry Sweep Complete, Elapsed Time:00:00:20
9:44 PM: Starting Cookie Sweep
9:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:44 PM: Starting File Sweep
10:14 PM: File Sweep Complete, Elapsed Time: 00:30:14
10:14 PM: Full Sweep has completed. Elapsed time 00:38:54
10:14 PM: Traces Found: 10
10:16 PM: Removal process initiated
10:16 PM: Quarantining All Traces: trojan agent winlogonhook
10:16 PM: Removal process completed. Elapsed time 00:00:01

**little eagle** · 2006-06-26, 16:52

You will need to disable SpySweeper until we are done.
To do this open SpySweeper click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notifiction".

Then run ewido and post the log from it.

Thread: malware that keeps coming back

Thread Tools

Display

malware that keeps coming back

Posting Permissions