View Full Version : Virtumonde and possibly other issues
tychrome22
2007-11-10, 06:51
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:13 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD97B86-DC48-4ABD-ACC0-0259EAE0F6D6}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{66256D3A-FD59-45DE-9F2B-1FCBF834FE36}: NameServer = 65.83.241.181,67.32.118.46
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9029 bytes
tychrome22
2007-11-10, 06:53
The Kaspersky log is too long. I have it saved if it is needed .I'm not sure if this is relevant but it took a good 19 hours for the Kaspersky scan.
tychrome22
2007-11-10, 07:14
I also read on another persons thread that viewpoint is useless software and that it should be deleted so I removed it via Add/Remove programs. Removed viewpoint manager and viewpoint media player.
tychrome22
2007-11-11, 00:31
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 09, 2007 10:44:32 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/11/2007
Kaspersky Anti-Virus database records: 454720
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 62687
Number of viruses found: 9
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 18:57:40
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS00429713-C192-4319-9436-51A30435C93C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS04F0427B-D923-4795-9F0E-3324AAE5D0E6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS113CC702-B438-42E4-AA0E-B8399D77F13E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1256243D-5FB2-4AFB-AB64-1BD72BA2AAE8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS16BB9187-B9CC-4EE2-80E3-53175AA89149.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS17D5508B-AA46-45C8-A0AC-FBDF9F5F42FB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS18CA0430-EA8A-400F-ACDC-F3D46A667196.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1DC687F7-502C-4E7A-9CCF-9189CECCA4EC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS20D356F7-B0D6-458C-84CF-33A34C822AFB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS22386999-CC13-4620-AC99-DEC3EE3A8E99.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS25C8B098-CC40-4623-8D29-C1BDF4197332.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2784582D-B4CF-40CA-BE27-1C7039A10C28.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2845F04E-F66F-4C52-A6A1-5CEA90558CAC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2DD7E9E3-7C04-4C45-BA74-7435086EA6BE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS33F05348-5A3F-422B-B60F-8114B670BB0B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS36AD35BD-789D-411B-BED3-EBBA5C07301B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3A6EC135-EA16-4EF8-938B-9345478D8BF7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3A6F51BD-B9F5-4CD7-8273-82DBED77BA49.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3BE724C3-A510-487E-8F1A-8C9A20D2F0DA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3EEB5209-5E91-40CC-9C72-BF157E5B41D8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS43BA717F-928C-4CBE-8327-7000B608055C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS499DD602-BA4E-4D55-BDFD-058BEBE2B1D2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4BA5B6CD-675F-4BF3-B68C-272B81B085BE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS54342283-B592-48DF-874C-AEA03EC9D4EE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS54C2D15D-A4A8-44BD-967E-B421FF0D459E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS55369794-D0C6-4FDF-9DEF-6068229139C5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS571A4185-4AFA-4DE8-880C-25533DBEC8FF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5EDC488A-B118-425A-8C55-22F4D7D20192.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5F22AE72-BE51-4AB3-A696-DD1CE5C66E86.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS627C75EB-3505-49A4-9101-E0953507891C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS63475F7A-2C0C-4504-8741-E01330ADC93A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS64EA4946-CEB1-4979-A61D-75627EFBFD11.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6794FC09-7488-425D-8179-6DC4A88E9C57.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6D4CA65C-2A56-41AA-96BC-51ED68BF2148.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6F4A26FC-5258-415D-8768-E6107226CA78.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS702292E8-D9E0-426D-ACFB-C5DD5B09A040.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS71E89E05-3B81-47A8-B237-EDFA144BF850.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS72529264-B232-412D-A950-427C9B0CDBC3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS72C92B07-A25B-448E-8907-57FAA801B3D5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS77C6C82F-811D-4096-A537-D43661E893F8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7A2BCB1C-4EA1-40CF-ABD1-1BC0BC70C73F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7B5BD6EF-2976-42CD-9B0A-88475599AEF3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7B8C6C46-B1C0-4101-A2F8-DF0E63FA7868.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7F561D5C-B1C0-4D11-A621-0365FDD05AFB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS85CB493A-EEEA-4AAC-9F03-B1A3A63075AA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS870A6DD4-1E89-4793-B1CF-08B6A926576C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8BA95510-FD58-4053-B884-F8894D5B877B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8DBC8D33-058B-4DBF-A66B-C1140A751A71.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8EE2BAB6-ACFD-4CF4-AF6B-9DB0270D097C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS92A49A9C-B75A-42B8-BA7B-5C724D0B9DD1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS934151FF-59CB-4A46-97D3-D2688651DB99.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9B4CFBDC-1C70-41FF-A956-C411059C5118.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9D0EBBA0-6C50-45BC-959F-F704F6DA41AE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9DACF8DC-4AB3-4743-807B-4EF34983FEF9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E18FC36-FBE4-4007-AEDD-9056ACE20F9A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E63B255-0CAC-4F6E-A0E3-8B3E51939512.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA016AC7A-42D3-467B-851A-42D20BC06587.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA37B57E0-CF0E-4FA2-9A8B-AFDC09E1BF1E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA4B8A1D7-D083-4C8B-8DB8-2CED71EE9A8C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSACA6B662-5E6B-4A12-B601-F31DE2481A41.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAFB0B61C-5305-45F3-89D9-287546327E65.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB156E17B-FEAF-4E8F-9EE1-83428B98DE3D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB4DADEE1-DC8A-4B00-8EDB-2463A9865F59.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB60F7E31-8DAE-4749-8C88-89F0CC246860.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB89E6285-C6D0-4EF7-A083-D4F3435CFE11.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBA308DA5-0656-4441-8B29-FCE8B51C4F43.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBB70239C-1091-4886-9C3C-755FC87C16B6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC01EBA00-7F1B-4431-A8DD-7030CDFF13E8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC0814D16-4798-4C5B-BB2E-5BBB0E1CE861.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC2CF2328-D661-4551-A4CD-CFB1DC59BF13.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC2D8B6CC-D496-4E0E-A546-D6C06E8F32CC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCD39292A-EF0E-4516-90D4-AE9AE3A3359C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCFD703C2-CF5B-4CAB-9467-3F1119DC4741.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD964B549-0BE1-4B7D-B4F1-F1BEE93DF7E4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDB2816CE-BE0C-4F02-9D02-5A450730EE3E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDE822854-B10A-4AE0-9888-8B107247280F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDED52749-8ACC-4336-AA68-7F9F8695E00B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDF27E6C7-5085-4D55-B982-486F45C4FDBA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDF28428D-5756-4C39-AB11-E0C71F0545F8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE0B36025-48BC-4BB7-A542-D72EF9C990BB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE7F958B2-879A-4FF8-B1A0-5753878769A8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEAEA3167-6C87-497F-8BB4-A1BF395DD8E0.tmp Object is locked skipped
tychrome22
2007-11-11, 00:32
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEB742FA3-8BF0-41A4-A34B-A5842FEF83F6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEBB8E5CB-402D-45AE-A99D-B529C11167AA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF95531BF-A1CD-4887-988D-AE0D1EA11749.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFCF30CD5-4939-42AC-80EE-32E1D3650AC7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFDB719FA-9736-4524-9B82-A9E2FE7A173B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFEC64201-1459-4929-B0ED-0676BD56F631.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFF366547-4880-4254-95E2-0DD31494733E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\history.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\key3.db Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Webroot\Spy Sweeper\Logs\071108231623.ses Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tyler Cromey\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\29D.tmp Infected: Trojan-Downloader.Win32.Delf.ctz skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\4E.tmp Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\4F.tmp Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\7CF.tmp/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\7CF.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\7CF.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\B.tmp Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\D6.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\D7.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\D8.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\D9.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\E2.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\E3.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\E9.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\EA.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0C1D1238-A1EF-43EA-9ACF-9240DDBA7386}\RP678\change.log Object is locked skipped
C:\Temp\ocli.exe/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Temp\ocli.exe/data0003/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0003 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Temp\ocli.exe/data0005 Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Temp\ocli.exe NSIS: infected - 5 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\byxxurr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\khfddax.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xxyvwuv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINDOWS\system32\yaywtst.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-13, 22:10
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You have the right logs so it looks like you read the directions, would you read them again to be sure you did not miss anything like:
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't.
This looks like a hidden Vundo infection and they are getting harder and harder to remove. I would keep your computer offline except when troubleshooting until I say you are clean, the junk will download more. If you still want help, let's start like this:
1) The hackers hide the junk from HijackThis.exe, return to here:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< right click and rename it to tychrome22.exe or whatever you wish. The next HJT log after a reboot should show us the infection.
2) Kaspersky: While you wait, clean this stuff so we don't have to see it again:
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\ <<< delete the contents of the folder in red
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\ <<< delete the contents of that quarantine folder
There is more but that will be most of it.
Post a new HJT log, add any comments you think will help.
Thanks
tychrome22
2007-11-14, 04:45
Thank you so much for the help. And sorry about posting so many times at the beginning.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:44 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: (no name) - {0623346F-63F7-4B09-B2F0-DDD55282D647} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BA0F6BB-F9D0-4633-B395-D3FD24571CCC} - C:\WINDOWS\system32\sstqp.dll
O2 - BHO: (no name) - {1C1DD717-53B2-485E-A17B-C9977C205E10} - C:\WINDOWS\system32\yaywtst.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6410CF3E-C293-43C1-8604-14D5E67FD216} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {78B0CF7B-6BD9-4722-972B-F8DFD74B77E2} - (no file)
O2 - BHO: (no name) - {A89C2BD1-1E9E-4F5C-92D9-5F67BC06F3FE} - C:\WINDOWS\system32\gebyy.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD97B86-DC48-4ABD-ACC0-0259EAE0F6D6}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{66256D3A-FD59-45DE-9F2B-1FCBF834FE36}: NameServer = 65.83.241.181,67.32.118.46
O20 - Winlogon Notify: yaywtst - C:\WINDOWS\SYSTEM32\yaywtst.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8921 bytes
tychrome22
2007-11-14, 04:50
Up until 2 weeks ago my virus and spyware software was out of date. I purchased trend micro antivirus and spysweeper when I did a RAM upgrade. I first started experiencing issues about 3-4 days after installing the new software. It first started with my desktop giving me this error message:
Internet Explorer has experienced a problem or error. As a precaution, your Active Desktop has temporarily been turned off. To start the Active Desktop again, use the following troubleshooting tips
Then when i would trouble shoot windows explorer started going on and off about every 15 seconds and then would finally cut off completely. I tried rebooting and I experienced the same issues. Then I tried using the task manager to start explorer back up and the same problem started again. I did a spyware and antivirus scan and realized I had an infection. So I've given up and resorted to running my computer out of task manager and hoping that this forum will be able to help me out.
pskelley
2007-11-14, 15:45
Thanks for returning your information and the feedback, most of the problems you mention sound like it is being caused by this junk, let's see what happens when we kick it out, and expect that to be some work.
I'll start you with some information about this junk.
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_05\ <<< Your Java version is VERY, VERY old and likely why you are infected. Download the newest version and then uninstall all old versions in Add Remove programs.
C:\Program Files\Trend Micro\HijackThis\HJT.exe <<< you changed it from HijackThis.exe to HJT.exe, and we need to change it to something the malware does not recognize, which was why I suggested: tychrome22.exe
Don't know if any more will show, but please change that.
Read and follow the instructions carefully:
1) Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(wait until you finish to post reports and logs)
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix report, combofix log, a new HJT log and any comments you think will help.
Thanks...Phil
tychrome22
2007-11-15, 07:44
The vundofix log
VundoFix V6.5.11
Checking Java version...
Scan started at 12:11:26 AM 11/15/2007
Listing files found while scanning....
No infected files were found.
tychrome22
2007-11-15, 07:45
Combofix log
ComboFix 07-11-08.1 - Tyler Cromey 2007-11-15 0:22:50.1 - NTFSx86
Running from: C:\Documents and Settings\Tyler Cromey\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\pqtss.tmp
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.ini
.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-15 00:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 23:05 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-08 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-08 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-08 02:39 <DIR> d-------- C:\VundoFix Backups
2007-11-08 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 20:45 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-11-06 20:45 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-11-06 20:45 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-11-06 20:45 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-11-06 20:45 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-11-06 20:45 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-11-06 20:45 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-11-06 20:44 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-11-06 20:44 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-11-06 20:44 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-11-06 20:44 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-11-06 20:44 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-11-06 20:44 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-11-06 20:44 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-11-06 20:44 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-11-06 20:42 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2007-11-06 20:42 426,041 --a--c--- C:\WINDOWS\system32\dllcache\voicepad.dll
2007-11-06 20:42 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-11-06 20:42 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2007-11-06 20:42 86,073 --a--c--- C:\WINDOWS\system32\dllcache\voicesub.dll
2007-11-06 20:42 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2007-11-06 20:42 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2007-11-06 20:42 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2007-11-06 20:42 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2007-11-06 20:35 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-11-06 20:35 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2007-11-06 20:35 101,376 --a--c--- C:\WINDOWS\system32\dllcache\srusbusd.dll
2007-11-06 20:35 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-11-06 20:35 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-11-06 20:35 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-11-06 20:35 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-11-06 20:35 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2007-11-06 20:31 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-11-06 20:31 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2007-11-06 20:31 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-11-06 20:31 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-11-06 20:31 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2007-11-06 20:31 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
2007-11-06 20:31 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-11-06 20:31 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2007-11-06 20:31 3,901 --a--c--- C:\WINDOWS\system32\dllcache\siint5.dll
2007-11-06 19:55 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-11-06 19:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2007-11-06 19:55 148,352 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2007-11-06 19:55 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-11-06 19:55 32,827 --a--c--- C:\WINDOWS\system32\dllcache\tcptest.exe
2007-11-06 19:55 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll
2007-11-06 19:55 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe
2007-11-06 19:55 16,384 --a--c--- C:\WINDOWS\system32\dllcache\tcptsat.dll
2007-11-06 19:55 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2007-11-06 15:31 35,328 --a------ C:\WINDOWS\system32\khfddax.dll
2007-11-06 15:21 35,328 --a------ C:\WINDOWS\system32\byxxurr.dll
2007-11-06 15:15 35,328 --a------ C:\WINDOWS\system32\xxyvwuv.dll
2007-11-06 15:11 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-06 15:11 <DIR> d-------- C:\Temp\mZOr
2007-11-06 15:11 424,266 --a------ C:\Temp\ocli.exe
2007-11-06 15:11 35,328 --a------ C:\WINDOWS\system32\yaywtst.dll
2007-11-06 00:26 <DIR> d-------- C:\Program Files\AC3Filter
2007-11-06 00:02 <DIR> d-------- C:\Program Files\Xvid
2007-11-06 00:02 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-06 00:02 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-05 23:00 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-11-05 22:59 <DIR> d-------- C:\Program Files\Avi2Dvd
2007-11-05 00:20 <DIR> d-------- C:\CloneDVDTemp
2007-11-03 22:43 <DIR> d-------- C:\Program Files\uTorrent
2007-11-03 22:43 <DIR> d-------- C:\Documents and Settings\Tyler Cromey\Application Data\uTorrent
2007-10-30 19:17 <DIR> d-------- C:\info
2007-10-30 18:15 <DIR> d-------- C:\Program Files\Webroot
2007-10-30 18:15 <DIR> d-------- C:\Documents and Settings\Tyler Cromey\Application Data\Webroot
2007-10-30 18:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-30 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-30 18:15 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-30 18:15 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-30 18:15 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-30 18:15 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-30 18:15 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-30 18:15 164 --a------ C:\install.dat
2007-10-30 18:13 <DIR> d-------- C:\WINDOWS\system32\drivers\AU_Backup
2007-10-30 18:13 263,160 --a------ C:\WINDOWS\system32\drivers\Tmfilter.sys
2007-10-30 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-30 18:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 18:02 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-30 18:02 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-10-30 17:12 <DIR> d-------- C:\Program Files\Western Digital Technologies
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 04:54 --------- d-----w C:\Program Files\Java
2007-11-10 05:13 --------- d-----w C:\Program Files\Viewpoint
2007-11-10 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-04 03:48 --------- d-----w C:\Program Files\BitComet
2007-10-31 10:23 --------- d-----w C:\Program Files\AIM6
2007-10-31 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-31 00:02 --------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2007-10-29 05:11 --------- d-----w C:\Documents and Settings\Tyler Cromey\Application Data\Canon
2007-10-07 14:32 --------- d-----w C:\Program Files\iTunes
2007-10-07 14:32 --------- d-----w C:\Program Files\iPod
2007-10-07 14:30 --------- d-----w C:\Program Files\Apple Software Update
2007-10-06 20:38 12,358 ----a-w C:\WINDOWS\system32\drivers\tmfilter.cat
2007-09-17 18:41 3,418 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.inf
2007-09-17 18:41 2,557 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.inf
2007-09-17 18:40 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-17 18:31 2,518 ----a-w C:\WINDOWS\system32\drivers\vsapint.inf
2007-09-17 18:31 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-02-20 04:11:17 88 --sh--r C:\WINDOWS\system32\51B291EE52.sys
2007-02-20 04:15:58 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0623346F-63F7-4B09-B2F0-DDD55282D647}]
C:\WINDOWS\system32\jkhfe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
2007-11-06 15:11 35328 --a------ C:\WINDOWS\system32\yaywtst.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6410CF3E-C293-43C1-8604-14D5E67FD216}]
C:\WINDOWS\system32\awtsr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78B0CF7B-6BD9-4722-972B-F8DFD74B77E2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A89C2BD1-1E9E-4F5C-92D9-5F67BC06F3FE}]
C:\WINDOWS\system32\gebyy.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 20:14]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 17:43]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 17:00 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 18:46]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-07-07 18:25]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 17:14]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 16:47]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 15:45]
"ZoomingHook"="c:\WINDOWS\System32\ZoomingHook.exe" [2004-07-14 18:07]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 18:23]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 03:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 03:11]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 23:10]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"CFSServ.exe"="CFSServ.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-07-05 19:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 15:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 05:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-07-09 16:23]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"= C:\WINDOWS\system32\yaywtst.dll [2007-11-06 15:11 35328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywtst]
yaywtst.dll 2007-11-06 15:11 35328 C:\WINDOWS\system32\yaywtst.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvtt.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ade6da8-11de-11db-a31d-0011f56184e9}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{644232ac-1795-11db-a332-00038a000015}]
\Shell\AutoRun\command - PStart.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d318fce-0d53-11db-a31c-0011f56184e9}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 02:17:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-12 06:00:05 C:\WINDOWS\Tasks\wrSpySweeper_LB2869E78DEE5465C83CE7A83169885F9.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 00:33:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-15 0:37:25 - machine was rebooted
.
--- E O F ---
tychrome22
2007-11-15, 07:46
The Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:30 AM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\TyChrome22.exe
C:\WINDOWS\explorer.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: (no name) - {0623346F-63F7-4B09-B2F0-DDD55282D647} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C1DD717-53B2-485E-A17B-C9977C205E10} - C:\WINDOWS\system32\yaywtst.dll
O2 - BHO: (no name) - {43665B3A-F1F7-43CB-8070-8C02C1E10466} - C:\WINDOWS\system32\awvtt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6410CF3E-C293-43C1-8604-14D5E67FD216} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78B0CF7B-6BD9-4722-972B-F8DFD74B77E2} - (no file)
O2 - BHO: (no name) - {A89C2BD1-1E9E-4F5C-92D9-5F67BC06F3FE} - C:\WINDOWS\system32\gebyy.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD97B86-DC48-4ABD-ACC0-0259EAE0F6D6}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{66256D3A-FD59-45DE-9F2B-1FCBF834FE36}: NameServer = 65.83.241.181,67.32.118.46
O20 - Winlogon Notify: yaywtst - C:\WINDOWS\SYSTEM32\yaywtst.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 10057 bytes
pskelley
2007-11-15, 13:28
Thanks for returning your information, I will first say the Vundo infection is there and I do not believe you gave Vundofix the time it needs to locate the junk, sometimes it needs to be runs several times. Let's do this:
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
2) Please submit these files to upload malware http://www.uploadmalware.com so they cn be added to Vundofix.
C:\WINDOWS\system32\yaywtst.dll
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\khfddax.dll
C:\WINDOWS\system32\byxxurr.dll
C:\WINDOWS\system32\xxyvwuv.dll
C:\WINDOWS\system32\yaywtst.dll
3) Add the same six files to Vundofix, six can be added at once, follow these directions.
Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
5) SpySweeper may block our tools: To disable SpySweeper
Open the program
On the left, click: Options, then > Program Options
Uncheck: Load at windows startup
Again on the left click: Shields and uncheck all items there.
Uncheck: Home Page Shield
Uncheck: Automatically restore default without notification
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {0623346F-63F7-4B09-B2F0-DDD55282D647} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {1C1DD717-53B2-485E-A17B-C9977C205E10} - C:\WINDOWS\system32\yaywtst.dll
O2 - BHO: (no name) - {43665B3A-F1F7-43CB-8070-8C02C1E10466} - C:\WINDOWS\system32\awvtt.dll
O2 - BHO: (no name) - {6410CF3E-C293-43C1-8604-14D5E67FD216} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {78B0CF7B-6BD9-4722-972B-F8DFD74B77E2} - (no file)
O2 - BHO: (no name) - {A89C2BD1-1E9E-4F5C-92D9-5F67BC06F3FE} - C:\WINDOWS\system32\gebyy.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - Winlogon Notify: yaywtst - C:\WINDOWS\SYSTEM32\yaywtst.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\Mz02r <<< delete that file
C:\Temp\ <<< delete that folder
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log and some feedback, how is the computer running.
Thanks
tychrome22
2007-11-16, 03:18
I'll list my issues in reference to the steps you listed.
2) Kept getting an error message when I tried to upload.
5) On the left, click: Options, then > Program Options
Uncheck: Load at windows startup
Again on the left click: Shields and uncheck all items there.
Uncheck: Home Page Shield
Uncheck: Automatically restore default without notification
I was able to do the blue but I was unable to find the red options.
6) O20 - Winlogon Notify: yaywtst - C:\WINDOWS\SYSTEM32\yaywtst.dll
This file was not listed.
As far as how the computer is running I'm still forced to run everything out of Task Manager. Explorer boots with the computer but it disables itself after about a minute. If I boot it myself it continuously turns on and off as previously described.
Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:29 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\TyChrome22.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E6DD52B2-92F0-42FB-B3EF-A8E7F37EFE4D} - C:\WINDOWS\system32\ddabb.dll
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD97B86-DC48-4ABD-ACC0-0259EAE0F6D6}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{66256D3A-FD59-45DE-9F2B-1FCBF834FE36}: NameServer = 65.83.241.181,67.32.118.46
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8810 bytes
pskelley
2007-11-16, 14:27
Thanks for returning your information and the feedback.
2) Kept getting an error message when I tried to upload.If you are talking about this forum, that happens from time to time, just try later. Also around 6 to 6:30 EST they update so best to avoid trying to post then.
I apologize, I need a look at the C:\vundofix.txt from the last time you ran it to add those files, post that for me please.
One Vundo file showing, understand if we don't kill it al it can morph and replace itself.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {E6DD52B2-92F0-42FB-B3EF-A8E7F37EFE4D} - C:\WINDOWS\system32\ddabb.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Look at that item in the HJT log before you remove it, then after you use HJT. It should be gone. If not, open Vundofix and use add files to remove it as you did before. If gone, the HJT log will be clean, no need to post it just now.
Make sure you cleaned the stuff from Kaspersky I posted about in #6 and then run a new Kaspersky scan with these settings:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Post the Vundofix reports from the last two times and the Kaspersky scan results.
Thanks...Phil
tychrome22
2007-11-16, 22:36
Last time my Kaspersky scan took an extremely long time so I'll post these ahead of time.
VundoFix V6.5.11
Checking Java version...
Scan started at 12:11:26 AM 11/15/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\byxxurr.dll
C:\WINDOWS\system32\byxxurr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfddax.dll
C:\WINDOWS\system32\khfddax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyvwuv.dll
C:\WINDOWS\system32\xxyvwuv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yaywtst.dll
C:\WINDOWS\system32\yaywtst.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\yaywtst.dll
C:\WINDOWS\system32\yaywtst.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddabb.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddabb.dll Has been deleted!
Performing Repairs to the registry.
Done!
And I went ahead and did a HJT scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:35 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\TyChrome22.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: (no name) - {0623346F-63F7-4B09-B2F0-DDD55282D647} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C1DD717-53B2-485E-A17B-C9977C205E10} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6410CF3E-C293-43C1-8604-14D5E67FD216} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78B0CF7B-6BD9-4722-972B-F8DFD74B77E2} - (no file)
O2 - BHO: (no name) - {A89C2BD1-1E9E-4F5C-92D9-5F67BC06F3FE} - (no file)
O2 - BHO: (no name) - {EC3A9658-8B59-47F0-AF27-B85B2DCC6D39} - C:\WINDOWS\system32\ddabb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [EzButton] "C:\Program Files\EzButton\EzButton.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD97B86-DC48-4ABD-ACC0-0259EAE0F6D6}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{66256D3A-FD59-45DE-9F2B-1FCBF834FE36}: NameServer = 65.83.241.181,67.32.118.46
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9743 bytes
pskelley
2007-11-16, 22:46
Thanks for returning your information, there is one file giving us trouble, but I will wait until I see the Kaspersky scan, it might be gone? We have a little trash to clean out of the HJT log, but I see no malware. Once I see the Kaspersky, we will do it all at once.
How is the computer running?
tychrome22
2007-11-16, 22:50
Its running better. Windows explorer started up after the reboot when I had Vundofix remove that last file. Hasn't gone out on me yet! Also the Kaspersky scan is going much much much faster than the first. If you remember I told you the first one took about 19 hours to finish. This one is already up and going pretty well. Still slow but that may have something to do with the fact that I have a 120 gb portable hard drive hooked up so there is a lot to scan. Other than that I saw what you saw on the HJT log but I have no doubt we will be able to get that fixed. Thank you so much for the help. For a while I was thinking I might have to resort to a system restore and lose the majority of my information.
pskelley
2007-11-16, 22:57
Sounds good, we'll see how it looks with the Kaspersky scan.
It takes about one hour on my computer. As a side bar, I suggest when time permits that you run a diagnostic here:
http://www.pcpitstop.com/pcpitstop/ Register free, don't buy anything, just run the free report. If you post a link to it (check first to be sure it links me to the test report) I may spot something to help.
I also suggest you review this information: http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
when time permits.
tychrome22
2007-11-17, 00:27
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 16, 2007 5:26:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/11/2007
Kaspersky Anti-Virus database records: 431874
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 61469
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:22:32
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\history.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\key3.db Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Application Data\Mozilla\Firefox\Profiles\zsovwq4t.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\History\History.IE5\MSHist012007111620071117\index.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tyler Cromey\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tyler Cromey\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\3B.tmp Infected: Trojan.Win32.Inject.jt skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\3C.tmp Infected: Trojan.Win32.Inject.jt skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\3D.tmp Infected: Trojan.Win32.Inject.jt skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\3E.tmp Infected: Trojan.Win32.Inject.jt skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\5B.tmp Infected: Trojan.Win32.Inject.jt skipped
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\5C.tmp Infected: Trojan.Win32.Inject.jt skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0C1D1238-A1EF-43EA-9ACF-9240DDBA7386}\RP688\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-17, 00:38
KASPERSKY ONLINE SCANNER REPORT
Friday, November 16, 2007 5:26:47 PM
Number of infected objects: 6
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\ <<< delete the contents of that quarantine folder, all six items are in there.
Delete the tools we used during the cleanup, you may keep ATF-Cleaner if you wish.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
tychrome22
2007-11-17, 01:56
So I made a little mistake. Well a little bit bigger than a little mistake. I accidentally restored my computer to the way it was this morning. The instructions given on the website were different than it was in system restore. I couldn't seem to change the settings for some reason. So it looks like all it did was it put back on that last file we were working on. I went ahead and used vundofix on it so I hope it is clean again. I'm not at home otherwise I would post an HJT log. When I do get back what would you like me to post. A fresh HJT log and a Kaspersky scan? Thanks.
pskelley
2007-11-17, 02:31
I really don't know, I was going to ask if you had System Restore turned off? You should not, a bad System Restore point is better than no System Restore point in an emergency. If you turned an infected System Restore off and then restored that infected point, then yes, you would reinfect yourself.
I have no way of knowing what you have done from here. Since the last Kaspersky scan was clean except for those six quarantine items, a Kaspersky scan should be clean. I do not need to see a clean scan results.
Thanks
tychrome22
2007-11-17, 02:39
Well what happened was it restored me to this morning at 1:16 AM. So still ahs a trace of the infection. Would you like me to just post a HJT log as soon as I can?
pskelley
2007-11-17, 02:42
Like I said, I really can tell nothing from here, I would suggest you run a Kaspersky scan, the results should tell you.
tychrome22
2007-11-17, 02:45
Ok thank you so much. As soon as I can I'll post a Kaspersky report. And then once I'm clean I'll do what you suggested and have that website run a free report. Thank you again your a life saver.
tychrome22
2007-11-17, 08:31
After my slightly stupid mistake the Kaspersky scan came back clean.
This is the link to my pcpitstop review.
http://www.pcpitstop.com/pcpitstop/Summary.asp
tychrome22
2007-11-17, 08:32
http://www.pcpitstop.com/pcpitstop/Summary.asp?conid=18928001
pskelley
2007-11-17, 12:42
Neither link takes me to your test results, here is that forum:
http://pcpitstop.invisionzone.com/index.php?showforum=6
and a example of a test results link: http://www.pcpitstop.com/pcpitstop/Summary.asp?TechExpress=MTLSSWUW9UVSPFLV
Thanks
tychrome22
2007-11-17, 18:53
Sorry about that. Here is the link:
http://www.pcpitstop.com/techexpress.asp?id=SEESSW3B3UVS6Y9V
pskelley
2007-11-17, 20:04
OK and thanks, I see no major problems and the results are fairly fairly easy to understand. I'll look for security issues and you should read it all. Let me know if you have questions. Once again, I do not suggest any purchases.
Defragment files (Drive C)
I suggest you Defrag about once a month, if Windows says you need it or not.
Reduce System Restore space:
Here is information from Microsoft:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Warning >Saving Web Page Passwords with IE May Present a Security Risk
Warning >Form Filling with IE May Present a Security Risk
Warning >Saving Web Page Passwords with Firefox May Present a Security Risk
Warning >Form Filling with Firefox May Present a Security Risk
Thanks
tychrome22
2007-11-18, 00:31
Yea I read through it all and most of it made good sense. Again I thank you so much for your help. You've gone above and beyond the call of duty.