Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: two.exe and suspected other spywares and trojans

  1. 2006-12-05, 11:13 #1
    kari.kentang
    kari.kentang is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    9

    Default two.exe and suspected other spywares and trojans

    Dear Experts,
    Need your expertise and advise to help clean my cousin's laptop. Using WinXP Home Edition SP2. IE will pop up occassionally with some unidentified URL. Suspect browser hijacked. Am unable to run Panda Activescan. Not sure why. It stopped with 'error on page' at Select a Device for scan. Used eTrust instead, had not attempt any cleaning yet. Also ran Spybot in Safe mode and attempted to fix whatever detected. Would greatly appreciate any advise and help rendered. Thanking in advance.

    Here is eTrust log:

    Scan Results: 50712 files scanned. 45 viruses were detected.

    File Infection Status Path
    two.exe Win32/Secdrop.MW infected C:\Documents and Settings\cel\Desktop\
    333333[1].htm JS/MHTMLRedir!exploit infected C:\Documents and Settings\cel\Local Settings\Temporary Internet Files\Content.IE5\A9ANFVMS\
    A0004561.exe Win32/Thoog.LG infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004562.exe Win32/Licat.X infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004572.exe Win32/Canbede.M infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004574.exe Win32/SillyDl.YQ infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004578.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004584.exe Win32/Thoog.LB infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004591.exe Win32/Licat.U infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004592.exe Win32/Thoog.KX infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004593.exe Win32/Thoog.KW infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004599.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004600.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
    A0004625.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004626.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004634.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004639.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004676.exe Win32/Thoog.KU infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004678.exe Win32/SillyDl.YQ infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004680.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004688.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
    A0004756.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004769.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004776.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004783.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004787.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004792.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004799.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004805.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004812.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004818.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004824.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004830.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004834.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004842.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004887.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004893.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004901.exe Win32/NetMon.A infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004905.exe Win32/Thoog.ME infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004909.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004968.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004976.exe Win32/Secdrop.MW infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004979.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004992.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
    A0004998.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\


    Here is HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 05:53:36 PM, on 05/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\windows_e53.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\cel\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc.support.global.toshiba.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [LaunchApp] launchapp
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [windows] C:\\windows_e53.exe
    O4 - HKLM\..\Run: [newname] C:\\nwnmff_e54.exe
    O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e90.exe
    O4 - HKLM\..\Run: [defender] c:\\dfndrff_e90.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: BITS - C:\WINDOWS\
    O20 - Winlogon Notify: Control Panel - C:\WINDOWS\
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
    O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\
    O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\jtp0077me.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  2. 2006-12-05, 12:55 #2
    kari.kentang
    kari.kentang is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    9

    Default two.exe and suspected other spywares and trojans

    Hi again, did another round of spybot scanning. Here are the logs done earlier in safe mode and later in normal mode. Really hope for any advises and help with this. Many thanks again.

    SafeMode Scan:
    05.12.2006 17:45:42 - ##### check started #####
    05.12.2006 17:45:42 - ### Version: 1.4
    05.12.2006 17:45:42 - ### Date: 05/12/2006 17:45:42
    05.12.2006 17:45:42 - ##### checking bots #####
    05.12.2006 17:46:56 - found: Command Service Data
    05.12.2006 17:46:56 - found: Command Service Autorun settings
    05.12.2006 17:46:56 - found: Command Service Program file
    05.12.2006 17:46:56 - found: Command Service Settings
    05.12.2006 17:46:56 - found: Command Service Settings
    05.12.2006 17:46:56 - found: Command Service Settings
    05.12.2006 17:47:30 - found: Smitfraud-C. Autorun settings (defender)
    05.12.2006 17:47:30 - found: Smitfraud-C. Autorun settings (keyboard)
    05.12.2006 17:48:04 - found: Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify Settings
    05.12.2006 17:50:11 - ##### check finished #####

    --- Report generated: 2006-12-05 17:50 ---

    Command Service: Data (File, nothing done)
    C:\windows\newname.dat

    Command Service: Autorun settings (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname

    Command Service: Program file (File, nothing done)
    C:\\nwnmff_e54.exe

    Command Service: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

    Command Service: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

    Command Service: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService

    Smitfraud-C.: Autorun settings (defender) (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender

    Smitfraud-C.: Autorun settings (keyboard) (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keyboard

    Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-12-05 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2006-02-06 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2006-02-20 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-12-01 Includes\Cookies.sbi (*)
    2006-10-13 Includes\Dialer.sbi (*)
    2006-12-01 Includes\DialerC.sbi (*)
    2006-11-24 Includes\Hijackers.sbi (*)
    2006-12-01 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2006-12-01 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2006-10-13 Includes\Malware.sbi (*)
    2006-12-01 Includes\MalwareC.sbi (*)
    2006-10-20 Includes\PUPS.sbi (*)
    2006-12-01 Includes\PUPSC.sbi (*)
    2006-12-01 Includes\Revision.sbi (*)
    2006-10-13 Includes\Security.sbi (*)
    2006-12-01 Includes\SecurityC.sbi (*)
    2006-10-13 Includes\Spybots.sbi (*)
    2006-12-01 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-12-01 Includes\Trojans.sbi (*)
    2006-12-01 Includes\TrojansC.sbi (*)


    Normal mode Scan:
    05.12.2006 19:23:02 - ##### check started #####
    05.12.2006 19:23:02 - ### Version: 1.4
    05.12.2006 19:23:02 - ### Date: 05/12/2006 07:23:02 PM
    05.12.2006 19:23:02 - ##### checking bots #####
    05.12.2006 19:24:37 - found: Command Service Autorun settings
    05.12.2006 19:24:53 - found: Look2Me.Topconverting Temporary file
    05.12.2006 19:25:26 - found: Command Service Settings
    05.12.2006 19:25:35 - found: Smitfraud-C. Autorun settings (defender)
    05.12.2006 19:25:35 - found: Smitfraud-C. Autorun settings (keyboard)
    05.12.2006 19:29:50 - ##### check finished #####


    --- Report generated: 2006-12-05 19:29 ---

    Command Service: Autorun settings (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname

    Look2Me.Topconverting: Temporary file (File, nothing done)
    C:\WINDOWS\system32\guard.tmp

    Command Service: Settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-229516171-2466090699-1829343848-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\nwnmff_e??.exe

    Smitfraud-C.: Autorun settings (defender) (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender

    Smitfraud-C.: Autorun settings (keyboard) (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keyboard


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-12-05 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2006-02-06 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2006-02-20 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-12-01 Includes\Cookies.sbi (*)
    2006-10-13 Includes\Dialer.sbi (*)
    2006-12-01 Includes\DialerC.sbi (*)
    2006-11-24 Includes\Hijackers.sbi (*)
    2006-12-01 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2006-12-01 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2006-10-13 Includes\Malware.sbi (*)
    2006-12-01 Includes\MalwareC.sbi (*)
    2006-10-20 Includes\PUPS.sbi (*)
    2006-12-01 Includes\PUPSC.sbi (*)
    2006-12-01 Includes\Revision.sbi (*)
    2006-10-13 Includes\Security.sbi (*)
    2006-12-01 Includes\SecurityC.sbi (*)
    2006-10-13 Includes\Spybots.sbi (*)
    2006-12-01 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-12-01 Includes\Trojans.sbi (*)
    2006-12-01 Includes\TrojansC.sbi (*)

    Rgs,
    Kari
  3. 2006-12-05, 14:01 #3
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi kari.kentang and welcome to Safer Networking Forums

    You got infections there.....

    Disable Spybot S&D Teatimer. (may interfere with our cleaning process)
    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu select "Advanced Mode"
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck "Resident TeaTimer" and OK any prompts.
    • Restart your computer


    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  4. 2006-12-05, 14:24 #4
    kari.kentang
    kari.kentang is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    9

    Default two.exe and suspected other spywares and trojans

    Dear Warrior, tks for your help. I have unchecked the Tea Timer in Spybot and ran the ComboFix. Below pls find the combofix log. Thanks.


    cel - 06-12-05 21:17:35.35 Service Pack 2
    ComboFix 06.11.27W - Running from: "C:\Documents and Settings\cel\Desktop"

    ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

    REGISTRY ENTRIES REMOVED:

    [HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}\InprocServer32]
    @="C:\\WINDOWS\\system32\\bnsendto_office.dll"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}\InprocServer32]
    @="C:\\WINDOWS\\system32\\pprfdisk.dll"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}\InprocServer32]
    @="C:\\WINDOWS\\system32\\igput.dll"
    "ThreadingModel"="Apartment"

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    FILES REMOVED:

    C:\WINDOWS\system32\bnsendto_office.dll
    C:\WINDOWS\system32\cobjmon.dll
    C:\WINDOWS\system32\h0n0la5m1d.dll
    C:\WINDOWS\system32\igput.dll
    C:\WINDOWS\system32\r0r60a9sed.dll
    C:\WINDOWS\system32\guard.tmp_tobedeleted


    Granting sedebugprivilege to Administrators ... successful


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\deskbar_e70.exe
    C:\deskbar_e90.exe
    C:\nwnmff_e53.exe
    C:\ac3_0010.exe
    C:\RDFX4.exe
    C:\Installer5.exe
    C:\Program Files\Deskbar


    ((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


    2006-12-05 16:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2006-12-05 14:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2006-12-05 13:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2006-12-05 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2006-11-29 22:39 52,161 --a------ C:\Documents and Settings\cel\mt-uninstaller.exe
    2006-11-10 20:22 430,080 --a------ C:\windows_e53.exe


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-12-05 21:14 -------- d-------- C:\Program Files\Common Files
    2006-12-05 12:03 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-11-27 23:50 -------- d-------- C:\Program Files\Internet Explorer
    2006-11-27 22:11 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-11-10 22:24 -------- d-------- C:\Program Files\MSN Messenger
    2006-10-20 19:32 -------- d-------- C:\Documents and Settings\cel\Application Data\DivX
    2006-10-20 19:25 -------- d-------- C:\Program Files\DivX
    2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
    2006-10-07 23:33 -------- d-------- C:\Program Files\Symantec
    2006-10-03 03:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
    2006-10-03 03:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
    2006-10-03 03:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
    2006-10-03 03:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
    2006-09-15 22:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2006-09-13 13:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "LaunchApp"="launchapp"
    "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
    "Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
    "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
    "NDSTray.exe"="NDSTray.exe"
    "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "Toshiba Hotkey Utility"="\"C:\\Program Files\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang en"
    "PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
    "CFSServ.exe"="CFSServ.exe -NoClient"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "windows"="C:\\\\windows_e53.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000005

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Net Scan.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - cel.job
    C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
    C:\WINDOWS\tasks\Symantec Drmc.job

    Completion time: 06-12-05 21:19:31.73
    C:\ComboFix.txt ... 06-12-05 21:19
  5. 2006-12-05, 18:02 #5
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again, we'll continue

    You should print these instructions or save these to a text file. Follow these instructions carefully.

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

    Download ATF Cleaner by Atribune to your desktop.
    Do NOT run yet.

    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: ) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with these yet!

    Make your hidden files visible:
    • Go to My Computer
    • Select the Tools menu and click Folder Options
    • Click the View tab.
    • Checkmark the "Display the contents of system folders"
    • Under the Hidden files and folders select "Show hidden files and folders"
    • Uncheck "Hide protected operating system files"
    • Click Apply and then the OK and close My Computer.


    ==================

    Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
    windows_e53.exe

    Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

    O4 - HKLM\..\Run: [windows] C:\\windows_e53.exe
    O4 - HKLM\..\Run: [newname] C:\\nwnmff_e54.exe
    O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e90.exe
    O4 - HKLM\..\Run: [defender] c:\\dfndrff_e90.exe
    O20 - Winlogon Notify: BITS - C:\WINDOWS\
    O20 - Winlogon Notify: Control Panel - C:\WINDOWS\
    O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\
    O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\jtp0077me.dll

    Restart your computer to the safe mode:
    • Restart your computer
    • Start tapping the F8 key when the computer restarts.
    • When the start menu opens, choose Safe mode
    • Press Enter. The computer then begins to start in Safe mode.


    Go to the My Computer and delete the following folders (if present):
    C:\Documents and Settings\cel

    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
    • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    Run ATF Cleaner
    • Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.

    ================

    When you're ready, please post the following logs to here:
    - AVG's report
    - a fresh HijackThis log
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  6. 2006-12-06, 16:53 #6
    kari.kentang
    kari.kentang is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    9

    Default two.exe and suspected other spywares and trojans

    Dear Mr_JAk3 sorry for the late response. Had carried out the instructions When tried to delete C:\Documents and Settings\cel, I encountered error. It says that cel is a windows system folder and is required for windows to run properly. It cannot be deleted. However, had tried to delete its contents as much as I can.

    Here are the logs (Kindly refer to next post for HJT logs. Thanks!):

    AVG AntiSpyware scan:
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:28:16 PM 06/12/2006

    + Scan result:



    C:\WINDOWS\Y2Vs\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
    C:\WINDOWS\Y2Vs\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004571.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004572.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004573.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004575.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004576.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004578.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004596.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004599.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004600.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004625.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004626.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004634.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004639.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004680.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004688.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004756.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004767.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004769.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004776.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004783.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004787.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004792.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004799.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004805.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004812.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004818.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004824.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004830.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004834.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004842.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004887.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004893.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004909.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004968.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004979.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004992.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004998.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005057.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005126.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005136.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005137.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005149.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005150.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005249.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005250.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005251.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005252.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005253.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004560.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004677.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005461.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004569.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004674.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004806.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004807.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004885.dll -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004899.exe -> Adware.Softomate : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004765.exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004591.exe -> Backdoor.MSNMaker.w : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004597.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004906.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004907.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004831.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004832.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004843.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004844.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004845.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004846.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004894.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004895.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004896.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004897.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005518.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004676.exe -> Downloader.Adload.gw : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004561.exe -> Downloader.Adload.hd : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004905.exe -> Downloader.Adload.ik : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004641.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004902.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005230.exe -> Downloader.Adload.ncy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004574.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004678.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004584.exe -> Downloader.VB.afl : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004976.exe -> Dropper.PurityScan.ah : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005509.exe -> Dropper.PurityScan.ah : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004901.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004592.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004593.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004766.vbs -> Trojan.Small : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004900.vbs -> Trojan.Small : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004562.exe -> Worm.Licat.h : Cleaned with backup (quarantined).


    ::Report end


    Rgds,
    Kari
  7. 2006-12-06, 16:55 #7
    kari.kentang
    kari.kentang is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    9

    Default two.exe and suspected other spywares and trojans

    Fresh HJT log:

    New HighjackThis Log:
    Logfile of HijackThis v1.99.1
    Scan saved at 11:33:42 PM, on 06/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\cel\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc.support.global.toshiba.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [LaunchApp] launchapp
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    Rdgs,
    Kari
  8. 2006-12-06, 19:59 #8
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again, looks better
    How is the computer running ?

    I made a mistake, sorry. Please delete the following file if found, not the whole "cel" folder, C:\Documents and Settings\cel\mt-uninstaller.exe
    If you have the things you deleted in your recycle bin, please restore those. Sorry again.

    Delete the following folder if found:
    C:\WINDOWS\Y2Vs

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  9. 2006-12-07, 04:14 #9
    kari.kentang
    kari.kentang is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    9

    Default

    Hi, no worries...so far the computer seems to be working fine. No more popups. Am doing the Kaspersky now. Will be posting the logs soon Y2Vs folder not found already. Had deleted the mt_uninstaller.exe as well

    Thanks so much again for being here for us!

    Rdgs,
    Kari
  10. 2006-12-07, 04:29 #10
    kari.kentang
    kari.kentang is offline
    Junior Member
    Join Date
    Dec 2006
    Posts
    9

    Default two.exe and suspected other spywares and trojans

    Hi again. Here's the Kaspersky Log: (Need to break it into 2 parts)
    --------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, December 07, 2006 11:17:02 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 7/12/2006
    Kaspersky Anti-Virus database records: 248666
    --------------------------------------------------------------------------
    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 38017
    Number of viruses found: 19
    Number of infected objects: 131 / 0
    Number of suspicious objects: 8
    Duration of the scan process: 00:25:47

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip/mc44a54.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip/mc44a53.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-07_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip/mc44a54.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip/mc44a53.exe Suspicious: Password-protected-EXE skipped
    C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip ZIP: suspicious - 1 skipped
    C:\Documents and Settings\cel\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\cel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\cel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\cel\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\cel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\cel\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\cel\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13D4240C.exe Infected: Trojan-Dropper.Win32.PurityScan.q skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\21295889.exe Infected: Trojan-Dropper.Win32.Small.auc skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28A0596B.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe Inno: infected - 3 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe CryptFF: infected - 3 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3FB73999.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe Inno: infected - 3 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe CryptFF: infected - 3 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe NSIS: infected - 2 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe CryptFF: infected - 2 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp NSIS: infected - 2 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp CryptFF: infected - 2 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\425C061C.exe Infected: Trojan-Downloader.Win32.Adload.gw skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\425F3018.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47380D97.exe Infected: Trojan-Dropper.Win32.PurityScan.q skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\488478AB.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\488A4CA3.com Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\488D76A0.exe Infected: Trojan-Downloader.Win32.Adload.ik skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4891209C.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\48944A99.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\599C020B.exe Infected: Trojan-Downloader.Win32.Adload.gw skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B1B0DBA.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B7A6636.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E2432A7.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F92257F.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F92257F.exe NSIS: infected - 1 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F92257F.exe CryptFF: infected - 1 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62D66166.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe NSIS: infected - 5 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe CryptFF: infected - 5 skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66E861BD.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A3935AE.exe Infected: Trojan.Win32.Pakes skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A7A7D66.exe Infected: Trojan.Win32.Pakes skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A872557.exe Infected: Trojan.Win32.Pakes skipped
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E5E1F9B.exe Infected: Trojan-Dropper.Win32.PurityScan.q skipped

    ----- END of Part 1 -----
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules