Many viruses! Here is my HJT log. Please help!

**mcryder26** · 2007-07-21, 17:14

Attached is my HJT log. Please advise what to do next. Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 9:56:39 AM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\CY_BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\EVIDEN~1\ee.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jbarnes\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jsip01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;*.kis.koyo-seiko.co.jp;*.jis.jtekt.co.jp;<local>
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: SYSTRAN Personal 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Evidence Eliminator] C:\PROGRA~1\EVIDEN~1\ee.exe /m
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - http://www.blackberry.com/DST2007/pa...eLoaderUSB.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1127339566560
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jis.jtekt.co.jp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jis.jtekt.co.jp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jis.jtekt.co.jp
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

http://forums.spybot.info/showthread.php?p=105760

**pskelley** · 2007-07-22, 01:09

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Please follow the instructions posted above which are also pinned to the top of the forum.

Then tell me why you have posted here in the malware forum? Nothing jumps out at me as malware, if something is occuring please share that information with us, if you receive any error messages, post those word for word.

Please read this: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\j2re1.4.2_03 <<< your Java program is BADLY out of date, download the newest version and uninstall all old versions in Add Remove programs.

Thanks

**mcryder26** · 2007-07-22, 03:52

First, I did read all of the "Before You Post" information.......but when I attached my HJT log, I just made a mistake, then I realized / remembered I was suppose to copy & paste it into my thread.

I was on the web & a window from SS&D popped up a window that said SS&D has detected an important registry entry that has been changed.

Category: Browser Helper Object
Change: Value Deleted
Entry: {53707962-6F74-2D53-2644-206D7942484F

(That was the start of the problems with my computer.

I ran SS&D Search for Problems, and it found these problems:
smitfraud - C
Virtumonde.winpop
Virtumonde
Win32.Agent.QT

I ran SS&D "fix selected problems", and it said it fixed all but one problem "Virtumonde".

I did restart with SS&D run on restart. I got pop up window (while SS&D was running):
No connection to the internet is currently available. To view internet content that has been saved on your computer, click "work offline". I just closed that pop up window.

SS&D finished running, and said no threats were found.

I closed SS&D, and the computer finished booting up, then I immediately got the following:

SS&D has detected an important registry entry that has been changed.

Category: Browser Helper Object
Change: Value Deleted
Entry: {6EC459E8-F74D-4F61-9788-91206192444C}

I tried to "Block this Action", but the button would not work.

Symantec Anti Virus also reported a virus.....

I have been searching the web, including this site, trying to find info, get fixes, etc.

I have downloaded "VundoFix V6.5.6, and ran it "Scan".
It found:
C:\Windows\system32\bcdgh.bak1
C:\Windows\system32\bcdgh.bak2
C:\Windows\system32\bcdgh.ini
C:\Windows\system32\hgdcb.dll
C:\Windows\system32\hvrseiqx.dll
C:\Windows\system32\vgxdohrd.dll
C:\Windows\system32\xqiesrvh.ini

(I did not run the "Remove Vundo" on VundoFix at this time)

Then I ran SS&D and it found:
Virtumonde
Uninstall settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current\Version\Uninstall\Outerinfo
(kind = 1 entries = Registry key)

Then I "Fixed" the problems in SS&D, then ran SS&D again, and it found no problems.

Then I ran Vundofix "Scan" again, and it found the same files as before.

I ran "Remove Vundo" on Vundofix.

Got this message:

C:\Windows\system32\hgdcb.dll could not be deleted, Vundofix will reload on reboot to attempt removal.

I clicked "OK"

I rebooted into SAFE mode.
I ran Vundofix again, and it found two of the same files again:
C:\Windows\system32\bcdgh.ini
C:\Windows\system32\hgdcb.dll

I ran Vundofix "Remove Vundo" again.
On reboot I got Symantec Anti Virus notification:
C:\Windows\system32\hgdcb.dll
Clean: Failed
Quarantine: Failed
Delete: Succeeded: Access Denied

I started to click OK to reboot the computer, but just before I clicked OK, a window popped up (same one as earlier):
No connection to the internet is currently available. To view internet content that has been saved on your computer, click "work offline".

The computer rebooted, and the same "No connection to the internet is currently available. To view internet content that has been saved on your computer, click "work offline" window popped up.

Then I got Symantec notification:
"C:\Windows\system32\ymjfxjjf.exe

and VundoFix found:
C:\Windows\system32\bcdgh.tmp
C:\Windows\system32\hgdcb.dll

Symantec said it deleted the file ""C:\Windows\system32\ymjfxjjf.exe"

Then, I made my first log on the SS&D Forums, and rebooted my computer, then all of the virus notifications, and SS&D Registry Change Denied windows started all over.............with the BHO pop up windows, and so I ran Symantec again, and it found:
Adware: Purityscan in C:\Windows\system32\httzz.dll
Action: Delete succeeded

Virtumonde-yayxurs.dll
Action: Leave alone: Succeeded

C:\Windows\system32\STEM32-1\wucrtupd.exe
Action: Delete Suceeded

Also, I got SS&D Registry Change denied
Browser Helper Object
Value Added: {B1228B7B-FB35-4E16-B94A-A6769CB7E157}
I "blocked this, but the "remember this decision" button would not work,

now I am at point, typing this Reply, and:

At this moment, there are approximately five (5) BHO warning windows flashing on repeatedly (for the past 2 days). They say "Resident denied the change of {33D9EBAA-2408-4055-8885-05CE3B8D2771} (category Broswer Helper Object) based on your blacklist". This is just one of the many

Also, Symantec reports it found 3 threats:
wucrtupd.exe - Adware - (deleted)
yayxurs.dll - Adware - (left alone)
httzz.dll - Adware - (deleted)

I just now downloaded / updated my Symantec files, (which I do every day, sometimes more than once a day). On start up, the Symantec Antivirus Repair Wizard shows the following files as quarantined:

Gift.zip
mail2.zip
talk.zip
release.zip
Gift.zip
account-details.zip
C:\Documents and Settings\jbar.........Trojan Horse.(I cannot see the rest of the file details)
C:\Program Files\poolsv\svhost..........Trojan Horse (I cannot see the rest of the file details)

I clicked "Next" to see if these files can be repaired, but Symantec says it cannot repair the items in quarantine.

Here is another HJT I just ran (just before I started typing this info).

Following this HJT is the virus report from Symantec.

Logfile of HijackThis v1.99.1
Scan saved at 6:33:02 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\CY_BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\EVIDEN~1\ee.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Documents and Settings\jbarnes\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jsip01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;*.kis.koyo-seiko.co.jp;*.jis.jtekt.co.jp;<local>
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: SYSTRAN Personal 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Evidence Eliminator] C:\PROGRA~1\EVIDEN~1\ee.exe /m
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - http://www.blackberry.com/DST2007/pa...eLoaderUSB.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1127339566560
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jis.jtekt.co.jp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jis.jtekt.co.jp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jis.jtekt.co.jp
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

SYMANTEC REPORT:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader
File: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977\A0135569.exe
Location: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977
Computer: JBARNES04441
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, July 20, 2007 12:56:23 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.MisleadApp
File: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977\A0135570.exe
Location: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977
Computer: JBARNES04441
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, July 20, 2007 2:12:08 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.Vundo
File: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977\A0136606.dll
Location: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977
Computer: JBARNES04441
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, July 20, 2007 2:47:08 PM

I read the Java info you gave me, and I will update it. Should I do it now, or wait until these problems are resolved?

So.......If I am in the wrong area for help, please tell me if SS&D forums can help (which one), or if I need to seek other help.

Thanks! I really appreciate your help!!

**pskelley** · 2007-07-22, 13:16

No problems, I post that information for everyone so we all know what is required.

Java: I suggest you update as soon as possible, some information for you:
http://www.theregister.com/2007/05/1...e_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

If you want to run HJT from the Desktop I suggest you create a folder to put it in. Logs and backups will be created that can lost and not be available if needed in an emergency.

I am still seeing nothing that looks to be malware, I will ask about these two items:
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
This item is option but CastleCops want you to know this:
Related to Market_Browser Note: File is found in C:\Program Files\MarketBrowser\lmt folder. Since the privacy policy of this program allows collecting information ("We automatically collect IP addresses and MarketBrowser registration, license and usage information from you when you use MarketBrowser and/or our Web sites."), it received the "O" status.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jis.jtekt.co.jp
A Google search: http://www.google.com/search?hl=en&q...=Google+Search
Returns nothing, if you know the item, do not be concerned.

I was on the web & a window from SS&D popped up a window that said SS&D has detected an important registry entry that has been changed

This must be from TeaTimer, it's job according to how you have the settings, is to block attempts and notify you of them. There will be attempts by valid items and by malware and that is why you are using TeaTimer.
This CLSID number is: {53707962-6F74-2D53-2644-206D7942484F} L BHO SDhelper.dll SpyBot Search&Destroy
I am not a Spybot S&D expert, you can post questions to them here:
http://forums.spybot.info/forumdisplay.php?f=4
but my guess would be you did an update and this prompted TT to ask if you wanted to allow the changes. Let me post tutorials for using Spybot here for you:
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html

I am wondering if you just downloaded and installed Spybot for the first time?

If your Spybot is totally up to date and immunized, it should remove what it finds, if you have questions, post them for the Spybot experts.

If vundofix found those files, then you had a vundo infection. The items Symantec located all appear to be infections backed up in your System Restore files and can do you know harm unless you do a System Restore, we will clean those files shortly.

Let's take a look with a good utility tool to see what is going on and then we will run another good scanner to double check for Symantec. Please read and follow the directions carefully.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

**mcryder26** · 2007-07-22, 19:10

Hi,

Thanks for the quick reply - you guys are great......

Just wondering - could the fact that I have two (2) hard drives in the problem laptop have anything to do with not being able to find the BHO's?

I will read the two articles today.

I put HJT into a folder on my desktop. Also made a copy on a flashcard.

Also, I usually add the date & time to the filename of important files - like the HJT log, so I can make sure I'm using the correct one.

Marketbrowser is just a stock market tracker. I have used it for years. Hopefully it is harmless. Although I can remove it if it is better to. Please advise me.

The "jis.jtekt.co.jp " settings are for using when I am at my employers factory in Japan.

I have used SS&D for quite some time now. I keep it updated every day (or at least every day that I use the problem computer). And, I keep the immunizations current.

I thought this "Malware Removal" forum was a SS&D forum?

Are you not an SS&D "expert"?

And, I'm really confused. If my Symantec says I have the Vundo and other viruses, and I have a screen full of browser helper object registry change windows flashing constantly, isn't something wrong?

Should I accept the BHO registry changes?

Also, I just opened IE, and it started opening up unwanted windows and websites. Here are some of them:

http://drivecleaner.com/.freeware/in...ww.google.com/

http://www.abcsearch.com/click/?affi...FN0QTOwETN4ETM

http://89.188.16.10/trafc-2/rfe.php?cmp=nm_ff_ron&uid=7D38261031C311DC92F4F67389FFFFFF&nid=ba&guid=770539CECA22465BB51A05460BC1F509&url=http:%2F%2Fwww.google.com%2F&affid=67389&lid=http>

http://careers.simplyhired.com/a/job...=RON&kw=110530

http://seeker.dice.com/jobsearch/ser...21&spon=shpaid

http://www.decorating-etc.com/Outdoor-Lighting.htm

And Symantec just reported that it found the Vundo trojan.

Then I closed those two unwanted IE windows, and another one popped up.

Now I am getting one IE re-directed window after another.

I will try to update JAVA now. I downloaded it using Mozilla.

Help!

**pskelley** · 2007-07-22, 19:24

I have no idea how two hard drive will effect this, but I must assume one is the main hard drive. I believe I stated the instructions so it could be understood. What I am wondering is why you have not followed the directions I posted, downloaded and run combofix and posted the log like I reqested. If you have some other idea of how to do this, I would be glad to close the topic and allow you to do so.

Thank You

**mcryder26** · 2007-07-22, 19:46

Sorry, I got side tracked. I am now running Combofix. I am at the screen where it asks for me to type a 1 to continue. I typed "1", and now it is sitting there with a blinking cursor after the 1. Should I hit "Enter", or just wait?

Also - I did notice that you are a Security Expert - so forgive me for not seeing that before.

**pskelley** · 2007-07-22, 19:50

Please read al follow the directions exactly:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**mcryder26** · 2007-07-22, 20:25

Hello,

Following is the log from Combofix. (I typed "1" on the Combofix startup screen,and although I saw no instructions to tell me to, I hit the "Enter" key, then Combofix ran.)

I have a SS&D window asking if I should Allow or Do Not Allow the following:
Category: System Startup global entry
Change: Value deleted
Entry: 00THotkey
Old data: C:\WINDOWS\System32\00THotkey.exe

Should I do anything to Allow or Not Allow at this point?
Should I check the box for Remember this decision?

ALso, Counterspy is asking for approval to "A Change to the Restrict Anonymous Access Requires Approval"
Change:0
Should I Allow or Block? Remember the decision?

I eagerly await your next instruction.

Thanks!!

"jbarnes" - 2007-07-22 12:52:52 - ComboFix 07-07-17.8 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bygcnudn.dll
C:\WINDOWS\system32\odjhpspg.dll
C:\WINDOWS\system32\fqvcsgge.dll
C:\WINDOWS\system32\xeoteghj.dll
C:\WINDOWS\system32\nduncgyb.ini
C:\WINDOWS\system32\uvvyb.bak1
C:\WINDOWS\system32\uvvyb.bak2
C:\WINDOWS\system32\uvvyb.ini
C:\WINDOWS\system32\gpsphjdo.ini
C:\WINDOWS\system32\uvvyb.bak1
C:\WINDOWS\system32\uvvyb.bak2
C:\WINDOWS\system32\uvvyb.ini
C:\WINDOWS\system32\byvvu.dll
C:\WINDOWS\system32\yayxurs.dll
C:\WINDOWS\system32\yayxurs.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\winpop
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\wnscpisu32.exe

((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))

2007-07-22 12:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 11:54 <DIR> d-------- C:\Temp\JAVA update download 07-22-07
2007-07-19 16:48 <DIR> d-------- C:\Program Files\Safer Networking
2007-07-15 19:18 <DIR> d-------- C:\VundoFix Backups
2007-07-13 23:29 <DIR> d-------- C:\WINDOWS\system32\b10FdUe
2007-07-13 23:29 <DIR> d-------- C:\Temp\brr

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 18:01:46 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-25 19:50:30 -------- d-----w C:\DOCUME~1\jbarnes\APPLIC~1\U3
2007-06-16 20:38:43 2,000 ----a-w C:\WINDOWS\mozver.dat
2007-06-16 20:38:41 -------- d-----w C:\Program Files\DivX
2007-06-09 02:01:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-28 17:46:01 -------- d-----w C:\Program Files\Common Files\Nero
2007-05-28 17:44:01 -------- d-----w C:\Program Files\Ahead
2007-05-28 17:43:38 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-25 12:49:37 -------- d-----w C:\Program Files\Sony Handheld
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2006-08-24 10:26:06 2,434 ----a-w C:\DOCUME~1\jbarnes\APPLIC~1\SAS7_000.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 C:\WINDOWS\system32\000StTHK.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 19:16]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2004-01-05 12:47]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2003-10-06 20:43]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [2003-08-01 17:56]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00]
"TFNF5"="TFNF5.exe" [2003-12-02 17:15 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2004-02-03 20:32 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2003-12-03 15:26]
"Pinger"="C:\toshiba\ivp\ism\pinger.exe" [2003-10-20 11:39]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 04:36]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-06-01 11:09]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-06-01 11:03]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22]
"PDF Converter Registry Controller"="C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe" [2004-04-29 09:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-02-17 17:53]
"SunServer"="C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe" [2005-11-11 17:47]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 19:33]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 17:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 16:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-06-01 10:46]
"Evidence Eliminator"="C:\PROGRA~1\EVIDEN~1\ee.exe" [2004-04-29 10:08]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2004-05-17 05:05]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 16:42]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\DOCUME~1\jbarnes\STARTM~1\Programs\Startup
Konfabulator.lnk - C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe [2005-05-19 00:23:16]
VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2006-02-06 11:32:22]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Device Detector 2.lnk - C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe [2005-02-10 11:48:49]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-02-17 17:02:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"="C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunExecuteHook.dll" [2005-11-11 17:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgdcb]
C:\WINDOWS\system32\hgdcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll --a------ 2003-12-16 18:49 110592 c:\WINDOWS\system32\LgNotify.dll

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 13:03:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000bc

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-22 13:06:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-22 13:05

--- E O F ---

**pskelley** · 2007-07-22, 20:48

Have you just recently started using TeaTimer? I really suggest you turn it off until you learn how to use it.
http://russelltexas.com/malware/teatimer.htm
http://www.malwarehelp.org/how-to-en...-teatimer.html

______________________________________________________

I strongly suggest you keep this computer offline until it is clean except when troubleshooting. This junk will download more.

Thanks for the combofix log, please read and follow these directions

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) You have Vundofix onboard, I want you to delete that program from your computer completely, including the Vundofix backups. Make sure it is all gone. Vundofix is constantly updated and I want you to download it new from the link I provide and follow my directions.

Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Post the Vundofix report, Uninstall list and a new HJT log.

Thanks

Thread: Many viruses! Here is my HJT log. Please help!

Thread Tools

Display

The reason I think I have virus - see comments below

I'm confused (again - surprise)

running combofix now

Here is my ComboFix log

Posting Permissions