PDA

View Full Version : stservice/popups - smitfraud related?



syoti
2007-04-21, 18:04
Hi, I’m kinda new here, I need help regarding my computer. There was this time when I accidentally downloadad an exe file which I opened. The file disappeared when I clicked on it. Sensing something was wrong, I ran all antivirus programs I had – avast 4 home edition and AVG Free edition 7.5.0.460 which did not detect any viruses. I ran spybot s&d v 1.4 and a smitfraud-C.Toolbar888 came up. i can’t remember the specifics, but I remember it was about a certain file removalfile.bat. Luckily I was able to fix it. But then after rebooting my computer, on startup a command box would appear with the heading “stservice” saying “couldn’t execute the application.” After closing the box a few minutes later, popups would appear saying I need to connect to the net and that webpages are not available offline…
I have searched forums about this and I learned about Vundofix.. I downloaded it, ran it and 3 files came up
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.ini
which I was successfully able to delete. However, the problem still persisted. I also ran a hijackthis v2 program and it came up with this log..

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:17:58 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SmarThumb\MyLock\stservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\Rar$EX00.078\HiJackThis_v2.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pc.support.global.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {034BCF48-D4E7-4335-8F56-CE9AB44F6961} - C:\WINDOWS\system32\iiffeeb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9FDE6004-4DCE-4409-85D2-9CBE2430D371} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C71E843B-FD09-4561-BDFA-72858A42D564} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C596F10-CA0E-4231-BDCA-B3DB75A466DC}: NameServer = 210.14.16.5 210.14.16.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: iiffeeb - C:\WINDOWS\SYSTEM32\iiffeeb.dll
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SmarThumb MyLock Service (STMyLock_Service1) - Intranet Research - C:\Program Files\SmarThumb\MyLock\stservice.exe

--
I ran spybot again but no threats were found despite the popups.
I would really appreciate any help I can get in removing these popups.. thank you very much..

steamwiz
2007-04-21, 19:58
HI

There are a couple of programs which should clean it up...

First...

1. Please download VirtumundoBegone, and save it to your desktop.

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

2. Double-click on VirtumundoBeGone.exe and follow the instructions.

Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

3. When the process finishes, reboot.

4. Post the contents of the VBG.TXT file, which you will find on your desktop

THEN...

Please run this on-line scan :-

http://www.bitdefender.com/scan8/ie.html

Scan the whole computer & let it Disinfect/delete all it finds ...

copy & paste here its report here please.

Please remember to post ...

1. VBG.TXT file
2. bitdefender log
3. A new hijackthis log

steam

syoti
2007-04-22, 17:52
ok here are the logs:
VBG.TXT file


[04/22/2007, 21:23:17] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steven Uy\Desktop\VirtumundoBeGone.exe" )
[04/22/2007, 21:23:22] - Detected System Information:
[04/22/2007, 21:23:22] - Windows Version: 5.1.2600, Service Pack 2
[04/22/2007, 21:23:22] - Current Username: Steven Uy (Admin)
[04/22/2007, 21:23:22] - Windows is in NORMAL mode.
[04/22/2007, 21:23:22] - Searching for Browser Helper Objects:
[04/22/2007, 21:23:22] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/22/2007, 21:23:22] - BHO 2: {034BCF48-D4E7-4335-8F56-CE9AB44F6961} ()
[04/22/2007, 21:23:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:22] - Checking for HKLM\...\Winlogon\Notify\iiffeeb
[04/22/2007, 21:23:22] - Found: HKLM\...\Winlogon\Notify\iiffeeb - This is probably Virtumundo.
[04/22/2007, 21:23:22] - Assigning {034BCF48-D4E7-4335-8F56-CE9AB44F6961} MSEvents Object
[04/22/2007, 21:23:22] - BHO list has been changed! Starting over...
[04/22/2007, 21:23:22] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/22/2007, 21:23:22] - BHO 2: {034BCF48-D4E7-4335-8F56-CE9AB44F6961} (MSEvents Object)
[04/22/2007, 21:23:22] - ALERT: Found MSEvents Object!
[04/22/2007, 21:23:22] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 21:23:22] - BHO 4: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[04/22/2007, 21:23:22] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/22/2007, 21:23:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:22] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/22/2007, 21:23:22] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/22/2007, 21:23:22] - BHO 6: {55C91CE1-CDEE-4776-8C10-C6502F85E6A9} ()
[04/22/2007, 21:23:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:22] - Checking for HKLM\...\Winlogon\Notify\pmkhi
[04/22/2007, 21:23:23] - Found: HKLM\...\Winlogon\Notify\pmkhi - This is probably Virtumundo.
[04/22/2007, 21:23:23] - Assigning {55C91CE1-CDEE-4776-8C10-C6502F85E6A9} MSEvents Object
[04/22/2007, 21:23:23] - BHO list has been changed! Starting over...
[04/22/2007, 21:23:23] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/22/2007, 21:23:23] - BHO 2: {034BCF48-D4E7-4335-8F56-CE9AB44F6961} (MSEvents Object)
[04/22/2007, 21:23:23] - ALERT: Found MSEvents Object!
[04/22/2007, 21:23:23] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 21:23:23] - BHO 4: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[04/22/2007, 21:23:23] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/22/2007, 21:23:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/22/2007, 21:23:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/22/2007, 21:23:23] - BHO 6: {55C91CE1-CDEE-4776-8C10-C6502F85E6A9} (MSEvents Object)
[04/22/2007, 21:23:23] - ALERT: Found MSEvents Object!
[04/22/2007, 21:23:23] - BHO 7: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/22/2007, 21:23:23] - BHO 8: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[04/22/2007, 21:23:23] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 21:23:23] - BHO 10: {9FDE6004-4DCE-4409-85D2-9CBE2430D371} ()
[04/22/2007, 21:23:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:23] - No filename found. Continuing.
[04/22/2007, 21:23:23] - BHO 11: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[04/22/2007, 21:23:23] - BHO 12: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[04/22/2007, 21:23:23] - Finished Searching Browser Helper Objects
[04/22/2007, 21:23:23] - *** Detected MSEvents Object
[04/22/2007, 21:23:23] - Trying to remove MSEvents Object...
[04/22/2007, 21:23:24] - Terminating Process: IEXPLORE.EXE
[04/22/2007, 21:23:24] - Terminating Process: RUNDLL32.EXE
[04/22/2007, 21:23:25] - Disabling Automatic Shell Restart
[04/22/2007, 21:23:25] - Terminating Process: EXPLORER.EXE
[04/22/2007, 21:23:25] - Suspending the NT Session Manager System Service
[04/22/2007, 21:23:26] - Terminating Windows NT Logon/Logoff Manager
[04/22/2007, 21:23:26] - Re-enabling Automatic Shell Restart
[04/22/2007, 21:23:26] - File to disable: C:\WINDOWS\system32\iiffeeb.dll
[04/22/2007, 21:23:26] - Renaming C:\WINDOWS\system32\iiffeeb.dll -> C:\WINDOWS\system32\iiffeeb.dll.vir
[04/22/2007, 21:23:27] - File successfully renamed!
[04/22/2007, 21:23:27] - Removing HKLM\...\Browser Helper Objects\{034BCF48-D4E7-4335-8F56-CE9AB44F6961}
[04/22/2007, 21:23:27] - Removing HKCR\CLSID\{034BCF48-D4E7-4335-8F56-CE9AB44F6961}
[04/22/2007, 21:23:27] - Adding Kill Bit for ActiveX for GUID: {034BCF48-D4E7-4335-8F56-CE9AB44F6961}
[04/22/2007, 21:23:27] - Deleting ATLEvents/MSEvents Registry entries
[04/22/2007, 21:23:27] - Removing HKLM\...\Winlogon\Notify\iiffeeb
[04/22/2007, 21:23:27] - Searching for Browser Helper Objects:
[04/22/2007, 21:23:27] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/22/2007, 21:23:27] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 21:23:27] - BHO 3: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[04/22/2007, 21:23:27] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/22/2007, 21:23:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:27] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/22/2007, 21:23:27] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/22/2007, 21:23:27] - BHO 5: {55C91CE1-CDEE-4776-8C10-C6502F85E6A9} (MSEvents Object)
[04/22/2007, 21:23:27] - ALERT: Found MSEvents Object!
[04/22/2007, 21:23:27] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/22/2007, 21:23:27] - BHO 7: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[04/22/2007, 21:23:27] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 21:23:27] - BHO 9: {9FDE6004-4DCE-4409-85D2-9CBE2430D371} ()
[04/22/2007, 21:23:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:27] - No filename found. Continuing.
[04/22/2007, 21:23:27] - BHO 10: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[04/22/2007, 21:23:27] - BHO 11: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[04/22/2007, 21:23:27] - Finished Searching Browser Helper Objects
[04/22/2007, 21:23:27] - *** Detected MSEvents Object
[04/22/2007, 21:23:27] - Trying to remove MSEvents Object...
[04/22/2007, 21:23:28] - Terminating Process: IEXPLORE.EXE
[04/22/2007, 21:23:28] - Terminating Process: RUNDLL32.EXE
[04/22/2007, 21:23:28] - Disabling Automatic Shell Restart
[04/22/2007, 21:23:28] - Terminating Process: EXPLORER.EXE
[04/22/2007, 21:23:28] - Suspending the NT Session Manager System Service
[04/22/2007, 21:23:28] - Terminating Windows NT Logon/Logoff Manager
[04/22/2007, 21:23:28] - Re-enabling Automatic Shell Restart
[04/22/2007, 21:23:28] - File to disable: C:\WINDOWS\system32\pmkhi.dll
[04/22/2007, 21:23:28] - Renaming C:\WINDOWS\system32\pmkhi.dll -> C:\WINDOWS\system32\pmkhi.dll.vir
[04/22/2007, 21:23:29] - File successfully renamed!
[04/22/2007, 21:23:29] - Removing HKLM\...\Browser Helper Objects\{55C91CE1-CDEE-4776-8C10-C6502F85E6A9}
[04/22/2007, 21:23:29] - Removing HKCR\CLSID\{55C91CE1-CDEE-4776-8C10-C6502F85E6A9}
[04/22/2007, 21:23:29] - Adding Kill Bit for ActiveX for GUID: {55C91CE1-CDEE-4776-8C10-C6502F85E6A9}
[04/22/2007, 21:23:29] - Deleting ATLEvents/MSEvents Registry entries
[04/22/2007, 21:23:29] - Removing HKLM\...\Winlogon\Notify\pmkhi
[04/22/2007, 21:23:29] - Searching for Browser Helper Objects:
[04/22/2007, 21:23:29] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[04/22/2007, 21:23:29] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/22/2007, 21:23:29] - BHO 3: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[04/22/2007, 21:23:29] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/22/2007, 21:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:29] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/22/2007, 21:23:29] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/22/2007, 21:23:29] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/22/2007, 21:23:29] - BHO 6: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[04/22/2007, 21:23:29] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/22/2007, 21:23:29] - BHO 8: {9FDE6004-4DCE-4409-85D2-9CBE2430D371} ()
[04/22/2007, 21:23:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/22/2007, 21:23:29] - No filename found. Continuing.
[04/22/2007, 21:23:29] - BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[04/22/2007, 21:23:29] - BHO 10: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[04/22/2007, 21:23:29] - Finished Searching Browser Helper Objects
[04/22/2007, 21:23:29] - Finishing up...
[04/22/2007, 21:23:29] - A restart is needed.
[04/22/2007, 21:23:29] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[04/22/2007, 21:23:37] - Attempting to Restart via STOP error (Blue Screen!)


bitdefender log


[General]
App = "BitDefender Online Scanner v8"
Date = 22:04:2007
Time = 22:46:30
Scan Path = C:\;D:\;

[Engines Info]
Virus Definitions = 449624
Engine build = "AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)"
Scan plugins = 2
Archive plugins = 10
Unpack plugins = 2
E-mail plugins = 1
System plugins = 1

[Scan Statistics]
Folders = 5559
Files = 200846
Archives = 6519
Packed files = 344
Identified viruses = 3
Infected files = 7
Warnings = 0
Suspect files = 0
Disinfected files = 0
Deleted files = 7
Copied files = 0
Moved files = 0
Renamed files = 0
I/O Errors = 57

[Scan Settings]
SecondAction = Delete
FirstAction = Disinfect
Heuristics = 1
Enable Warnings = 1
Exclude Ext =
Extensions = *;
Scan Emails = 1
Scan Archives = 1
Scan Packed = 1
Scan Files = 1
Scan Boot = 1
Verify Memory = 0

[Scan Results]
Line00000020 = "C:\Documents and Settings\Steven Uy\Desktop\cochrane\revman42.exe Infected with: Win32.Worm.Gael.A"
Line00000019 = "C:\Documents and Settings\Steven Uy\Desktop\cochrane\revman42.exe Disinfection failed"
Line00000018 = "C:\Documents and Settings\Steven Uy\Desktop\cochrane\revman42.exe Deleted"
Line00000017 = "C:\Documents and Settings\Steven Uy\My Documents\Medicine 04-07\medicine\med 2\infectious_rheuma\SLE\folder.htt Infected with: Trojan.Vbs.Terrorist.B"
Line00000016 = "C:\Documents and Settings\Steven Uy\My Documents\Medicine 04-07\medicine\med 2\infectious_rheuma\SLE\folder.htt Disinfection failed"
Line00000015 = "C:\Documents and Settings\Steven Uy\My Documents\Medicine 04-07\medicine\med 2\infectious_rheuma\SLE\folder.htt Deleted"
Line00000014 = "C:\Documents and Settings\Steven Uy\My Documents\Medicine 04-07\medicine\med 2\infectious_rheuma\SLE\MS-DOS Mode for Games.pif Infected with: Backdoor.Oblivion.A"
Line00000013 = "C:\Documents and Settings\Steven Uy\My Documents\Medicine 04-07\medicine\med 2\infectious_rheuma\SLE\MS-DOS Mode for Games.pif Disinfection failed"
Line00000012 = "C:\Documents and Settings\Steven Uy\My Documents\Medicine 04-07\medicine\med 2\infectious_rheuma\SLE\MS-DOS Mode for Games.pif Deleted"
Line00000011 = "C:\Program Files\Chikka V4\Uninstaller.EXE Infected with: Win32.Worm.Gael.A"
Line00000010 = "C:\Program Files\Chikka V4\Uninstaller.EXE Disinfection failed"
Line00000009 = "C:\Program Files\Chikka V4\Uninstaller.EXE Deleted"
Line00000008 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0016772.exe Infected with: Win32.Worm.Gael.A"
Line00000007 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0016772.exe Disinfection failed"
Line00000006 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0016772.exe Deleted"
Line00000005 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0017214.exe Infected with: Win32.Worm.Gael.A"
Line00000004 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0017214.exe Disinfection failed"
Line00000003 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0017214.exe Deleted"
Line00000002 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0017215.EXE Infected with: Win32.Worm.Gael.A"
Line00000001 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0017215.EXE Disinfection failed"
Line00000000 = "C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP90\A0017215.EXE Deleted"

syoti
2007-04-22, 17:53
hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:50:23 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SmarThumb\MyLock\stservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\Rar$EX00.047\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pc.support.global.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9FDE6004-4DCE-4409-85D2-9CBE2430D371} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C596F10-CA0E-4231-BDCA-B3DB75A466DC}: NameServer = 210.14.16.5 210.14.16.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SmarThumb MyLock Service (STMyLock_Service1) - Intranet Research - C:\Program Files\SmarThumb\MyLock\stservice.exe

--
End of file - 13504 bytes

i appreciate all the help you can give me. thanks very much..

syoti
2007-04-22, 18:10
gud day, smith. ok, i did what you recommended and i rebooted my computer. the problem still persisted though. the same popup appeared. stservice - couldn't execute the application.. what shall i do next? i ran spybot again and a cookie of smithfraud-C.toolbar888 came up. tracking cookie:internet explorer:my name. the cookie is my name@whitescat.com. thanks..

steamwiz
2007-04-22, 19:59
HI

Your computer is now clean if the vundo Trojan & also a worm/virus found and deleted by Bitdefender...

Your hijackthis log is now clean...

I have no idea why you are getting the stservice - couldn't execute the application pop-up ...

But stservice appears to be a legitimate service/program ...

Here it is in your running processes :-


C:\Program Files\SmarThumb\MyLock\stservice.exe


& here is the service running :-

O23 - Service: SmarThumb MyLock Service (STMyLock_Service1) - Intranet Research - C:\Program Files\SmarThumb\MyLock\stservice.exe

It doesn't appear to have any problems running...

This is what it is :-

http://www.thinkcomputers.org/v2/index.php?x=reviews&id=449


my.lock

Lock your PC with plug-and-play convenience to prevent unauthorized access, and to protect your privacy and the confidentiality of your work. With my.lock your USB flash drive becomes a key - just plug and unplug to unlock and lock your PC.

Price: USD 9.90


& here :-

http://www.pcworld.com.ph/?_s=7&_ss=P&P=3&PN=3219&L=S&II=126&ID=S,126,PWP,PWP-10



My.Lock transforms your USB key into a real key for your PC. Your files and programs can be kept safe inside your computer by activating the program and locking them in. Simply unplugging the USB key locks the computer, while plugging it back in unlocks it.


It is supposed to act as a lock to lock your computer ... I presume the popup is telling you it can't do that for some reason...

steam

syoti
2007-04-22, 20:27
ok thanks so much for ur help. i really find this forum to be helpful. the important thing is my computer is free of trojans and worms. thanks again. :2thumb:

steamwiz
2007-04-22, 22:52
You're very welcome :)

Happy surfing

steam