Results 1 to 7 of 7

Thread: Another smitfraud-c

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default Another smitfraud-c

    Hello,

    Unfortunately I have smitfraud-c on my computer, I have read many posts about it but they all seem to have different ways of removing, I have tried to attach my log from spybot...but it was too long so here it is underneath..I will post hijack this after as well!!!!.I have 1.4- spybot and windows XP and also Trend micro PC-cilling 2006......help would be greatly appreciated! Thanks in advance

    Kyle from Australia



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-12-04 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2006-02-06 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2006-02-20 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-12-08 Includes\Cookies.sbi (*)
    2006-12-08 Includes\Dialer.sbi (*)
    2006-12-08 Includes\DialerC.sbi (*)
    2006-11-24 Includes\Hijackers.sbi (*)
    2006-12-08 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2006-12-08 Includes\KeyloggersC.sbi (*)
    2006-12-08 Includes\Malware.sbi (*)
    2006-12-08 Includes\MalwareC.sbi (*)
    2006-10-20 Includes\PUPS.sbi (*)
    2006-12-08 Includes\PUPSC.sbi (*)
    2006-12-08 Includes\Revision.sbi (*)
    2006-12-08 Includes\Security.sbi (*)
    2006-12-08 Includes\SecurityC.sbi (*)
    2006-10-13 Includes\Spybots.sbi (*)
    2006-12-08 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-12-08 Includes\Trojans.sbi (*)
    2006-12-08 Includes\TrojansC.sbi (*)



    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
    / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
    / Windows XP / SP3: Windows XP Hotfix - KB890175


    --- Startup entries list ---
    Located: HK_LM:Run,
    command:
    file:

    Located: HK_LM:Run, Acrobat Assistant 7.0
    command: "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    file: C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    size: 483328
    MD5: 78ff388fd58ce0bae1f7c9670f5473c1

    Located: HK_LM:Run, AGRSMMSG
    command: AGRSMMSG.exe
    file: C:\WINDOWS\AGRSMMSG.exe
    size: 88358
    MD5: b2ed4020ee2a9446649ce6b0a918c91c

    Located: HK_LM:Run, EPSON Stylus C45 Series
    command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O5 "LPT1:" /M "Stylus C45"
    file:

    Located: HK_LM:Run, EPSON Stylus C45 Series (Copy 1)
    command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB003" /M "Stylus C45"
    file:

    Located: HK_LM:Run, HPLJ Config
    command: c:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p COM1: -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    file:

    Located: HK_LM:Run, HWSetup
    command: C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    file:

    Located: HK_LM:Run, NeroCheck
    command: C:\WINDOWS\system32\\NeroCheck.exe
    file:

    Located: HK_LM:Run, pccguide.exe
    command: "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
    file: C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
    size: 897089
    MD5: aece26628485f6a3b30dfacc783646f2

    Located: HK_LM:Run, PWRISOVM.EXE
    command: C:\Program Files\PowerISO\PWRISOVM.EXE
    file:

    Located: HK_LM:Run, SunJavaUpdateSched
    command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    file:

    Located: HK_LM:Run, SVPWUTIL
    command: C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    file:

    Located: HK_LM:Run, TCtryIOHook
    command: TCtrlIOHook.exe
    file: C:\WINDOWS\system32\TCtrlIOHook.exe
    size: 28672
    MD5: 6dc30391666eb94dcb44a17b86cc66cd

    Located: HK_LM:Run, TFncKy
    command: TFncKy.exe
    file:

    Located: HK_LM:Run, TPSMain
    command: TPSMain.exe
    file: C:\WINDOWS\system32\TPSMain.exe
    size: 282624
    MD5: 2da203dfe0a3658ff3913bb3d208b425

    Located: HK_LM:Run, ZoomingHook
    command: ZoomingHook.exe
    file: C:\WINDOWS\system32\ZoomingHook.exe
    size: 24576
    MD5: fd02f46a78c30f6cff37c7fe37a16cc5

    Located: HK_CU:Run, ctfmon.exe
    command: C:\WINDOWS\system32\ctfmon.exe
    file: C:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 24232996a38c0b0cf151c2140ae29fc8

    Located: HK_CU:Run, MSMSGS
    command: "C:\Program Files\Messenger\msmsgs.exe" /background
    file: C:\Program Files\Messenger\msmsgs.exe
    size: 1694208
    MD5: 74e6e96c6f0e2eca4edbb7f7a468f259

    Located: HK_CU:Run, Skype
    command: "C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE" /nosplash /minimized
    file: C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
    size: 20058152
    MD5: 32cc2915fcc207086d9b43ccece298f7

    Located: HK_CU:Run, WinMedia
    command: "C:\DOCUME~1\KYLELO~1\LOCALS~1\Temp\39B28610500.exe "
    file:

    Located: Startup (common), Adobe Acrobat Speed Launcher.lnk
    command: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
    file: C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
    size: 25214
    MD5: d6294d59171ac375cd142003566aa89e

    Located: Startup (common), HOTSYNCSHORTCUTNAME.lnk
    command: C:\Program Files\palmOne\Hotsync.exe
    file: C:\Program Files\palmOne\Hotsync.exe
    size: 471040
    MD5: f8fb2ca91f25d3eaa2cae2f0b55fec54

    Located: Startup (common), hp psc 1000 series.lnk
    command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    size: 147456
    MD5: 032a9526b5cf926ab9e5177c58e08816

    Located: Startup (common), hpoddt01.exe.lnk
    command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    size: 28672
    MD5: ca7e928c4a34f10898c941b05968be6f

    Located: Startup (common), Microsoft Office.lnk
    command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
    file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
    size: 65588
    MD5: f51f9e10d937a8edd58d2d456ff49468

    Located: Startup (common), RAMASST.lnk
    command: C:\WINDOWS\system32\RAMASST.exe
    file: C:\WINDOWS\system32\RAMASST.exe
    size: 155648
    MD5: 5648152ad2ccab0265eab9711755f484

    Located: Startup (user), Adobe Gamma.lnk
    command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    size: 113664
    MD5: c2ff17734176cd15221c10044ef0ba1a

    Located: Startup (user), palmOne Registration.lnk
    command: C:\Program Files\palmOne\register.exe
    file: C:\Program Files\palmOne\register.exe
    size: 2367488
    MD5: fa4b5c6e69c610e9bf0789209a2f7a95

    Located: System.ini, AtiExtEvent
    command: Ati2evxx.dll
    file: Ati2evxx.dll

    Located: System.ini, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: System.ini, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: System.ini, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: System.ini, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: System.ini, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: System.ini, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, winsys2freg
    command: C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    file: C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    size: 0
    MD5: d41d8cd98f00b204e9800998ecf8427e ???

    Located: System.ini, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll



    --- Browser helper object list ---
    {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
    BHO name:
    CLSID name: DriveLetterAccess
    description: Hewlett-Packard's DLA software
    classification: Unknown
    known filename: tfswshx.dll
    info link:
    info source: TonyKlein
    Path: C:\WINDOWS\system32\dla\
    Long name: tfswshx.dll
    Short name:
    Date (created): 1/09/2005 10:06:44 AM
    Date (last access): 11/12/2006 3:33:22 PM
    Date (last write): 31/05/2005 10:33:00 PM
    Filesize: 118844
    Attributes:
    MD5: ECBB15757C8DFCB1D23685FC2B96B898
    CRC32: 7934BE76
    Version: 1.4.8.0

    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    BHO name:
    CLSID name: SSVHelper Class
    Path: C:\Program Files\Java\jre1.5.0_06\bin\
    Long name: ssv.dll
    Short name:
    Date (created): 2/03/2006 1:53:00 PM
    Date (last access): 11/12/2006 3:33:22 PM
    Date (last write): 10/11/2005 1:22:12 PM
    Filesize: 184423
    Attributes: archive
    MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
    CRC32: 0111B892
    Version: 5.0.60.5

    {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
    BHO name:
    CLSID name: Google Toolbar Helper
    description: Google toolbar
    classification: Open for discussion
    known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
    info link: http://toolbar.google.com/
    info source: TonyKlein
    Path: c:\program files\google\
    Long name: GoogleToolbar1.dll
    Short name: GOOGLE~1.DLL
    Date (created): 28/02/2006 8:59:44 AM
    Date (last access): 11/12/2006 3:33:14 PM
    Date (last write): 18/10/2006 1:33:42 PM
    Filesize: 2108480
    Attributes: readonly archive
    MD5: 4CB9CC5E19F70337BFE200A4DAD58025
    CRC32: 07D15995
    Version: 4.0.1020.2544

    {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
    BHO name:
    CLSID name: Adobe PDF Conversion Toolbar Helper
    description: Adobe Acrobat
    classification: Legitimate
    known filename: AcroIEFavClient.dll
    info link: http://www.adobe.com/products/acrobatpro/main.html
    info source: TonyKlein
    Path: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\
    Long name: AcroIEFavClient.dll
    Short name: ACROIE~1.DLL
    Date (created): 14/12/2004 2:13:40 AM
    Date (last access): 11/12/2006 3:33:20 PM
    Date (last write): 24/09/2005 3:41:42 PM
    Filesize: 231160
    Attributes: archive
    MD5: 6A95C44FFF0AFE30351CBC92CF327924
    CRC32: 8A33F35E
    Version: 7.0.5.172



    --- ActiveX list ---
    {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0_06
    Installer:
    Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
    description: Sun Java
    classification: Legitimate
    known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
    info link:
    info source: Patrick M. Kolla
    Path: C:\Program Files\Java\jre1.5.0_06\bin\
    Long name: NPJPI150_06.dll
    Short name: NPJPI1~1.DLL
    Date (created): 2/03/2006 1:52:58 PM
    Date (last access): 11/12/2006 2:02:44 PM
    Date (last write): 10/11/2005 1:22:12 PM
    Filesize: 69746
    Attributes: archive
    MD5: D2CF6BB5E9020E6707B62575F8083954
    CRC32: 7F39DC54
    Version: 5.0.60.5

    {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0_06
    Installer:
    Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
    description:
    classification: Legitimate
    known filename: npjpi150_06.dll
    info link:
    info source: Safer Networking Ltd.
    Path: C:\Program Files\Java\jre1.5.0_06\bin\
    Long name: NPJPI150_06.dll
    Short name: NPJPI1~1.DLL
    Date (created): 2/03/2006 1:52:58 PM
    Date (last access): 11/12/2006 4:40:44 PM
    Date (last write): 10/11/2005 1:22:12 PM
    Filesize: 69746
    Attributes: archive
    MD5: D2CF6BB5E9020E6707B62575F8083954
    CRC32: 7F39DC54
    Version: 5.0.60.5

    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0_06
    Installer:
    Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
    description:
    classification: Legitimate
    known filename: npjpi150_06.dll
    info link:
    info source: Safer Networking Ltd.
    Path: C:\Program Files\Java\jre1.5.0_06\bin\
    Long name: NPJPI150_06.dll
    Short name: NPJPI1~1.DLL
    Date (created): 2/03/2006 1:52:58 PM
    Date (last access): 11/12/2006 4:40:44 PM
    Date (last write): 10/11/2005 1:22:12 PM
    Filesize: 69746
    Attributes: archive
    MD5: D2CF6BB5E9020E6707B62575F8083954
    CRC32: 7F39DC54
    Version: 5.0.60.5

    {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
    DPF name:
    CLSID name: Shockwave Flash Object
    Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
    Codebase: http://download.macromedia.com/pub/s...sh/swflash.cab
    description: Macromedia Shockwave Flash Player
    classification: Legitimate
    known filename:
    info link:
    info source: Patrick M. Kolla
    Path: C:\WINDOWS\system32\Macromed\Flash\
    Long name: Flash9.ocx
    Short name:
    Date (created): 5/09/2006 9:48:48 AM
    Date (last access): 11/12/2006 4:17:38 PM
    Date (last write): 22/06/2006 1:44:22 PM
    Filesize: 2201224
    Attributes: readonly archive
    MD5: 99F80CA1EBE95677668F54CAC6F4AD6D
    CRC32: B7385E3B
    Version: 9.0.16.0



    --- Process list ---
    PID: 0 ( 0) [System]
    PID: 540 ( 4) \SystemRoot\System32\smss.exe
    PID: 592 ( 540) \??\C:\WINDOWS\system32\csrss.exe
    PID: 616 ( 540) \??\C:\WINDOWS\system32\winlogon.exe
    PID: 660 ( 616) C:\WINDOWS\system32\services.exe
    size: 108032
    MD5: C6CE6EEC82F187615D1002BB3BB50ED4
    PID: 672 ( 616) C:\WINDOWS\system32\lsass.exe
    size: 13312
    MD5: 84885F9B82F4D55C6146EBF6065D75D2
    PID: 876 ( 660) C:\WINDOWS\system32\Ati2evxx.exe
    size: 376832
    MD5: BFA066BECCB7E16F52B819360253DEE0
    PID: 912 ( 660) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 992 ( 660) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1028 ( 660) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1164 ( 660) C:\WINDOWS\system32\ACS.exe
    size: 36864
    MD5: 539802224D334C25AC439FF0518D36CD
    PID: 1204 ( 616) C:\Program Files\Internet Explorer\iexplore.exe
    size: 93184
    MD5: E7484514C0464642BE7B4DC2689354C8
    PID: 1240 ( 660) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1292 ( 660) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1564 ( 660) C:\WINDOWS\system32\spoolsv.exe
    size: 57856
    MD5: 7435B108B935E42EA92CA94F59C8E717
    PID: 1884 ( 660) C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    size: 40960
    MD5: 3CB0CC8879956C187E87E18634EE5164
    PID: 1916 ( 660) C:\WINDOWS\system32\DVDRAMSV.exe
    size: 110592
    MD5: C9FFBD6B8EDC46CD3D13E3C6DB914FB7
    PID: 1956 ( 660) C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    size: 950354
    MD5: D32759D6EDD6B2EF106421C3494D6C26
    PID: 136 ( 660) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 264 ( 660) C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    size: 340040
    MD5: 54625E7E1C077D6AB915F41BBD9D574E
    PID: 320 ( 660) C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    size: 286791
    MD5: 1B33FF5C2AD27C5C72A3442E11380DAC
    PID: 1096 ( 660) C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    size: 634944
    MD5: 58123C936A1E599B93CF08E4A973BE85
    PID: 1480 ( 616) C:\WINDOWS\system32\Ati2evxx.exe
    size: 376832
    MD5: BFA066BECCB7E16F52B819360253DEE0
    PID: 1696 (1624) C:\WINDOWS\Explorer.EXE
    size: 1032192
    MD5: A0732187050030AE399B241436565E64
    PID: 1964 (1696) C:\WINDOWS\system32\TPSMain.exe
    size: 282624
    MD5: 2DA203DFE0A3658FF3913BB3D208B425
    PID: 1912 (1696) C:\WINDOWS\system32\ZoomingHook.exe
    size: 24576
    MD5: FD02F46A78C30F6CFF37C7FE37A16CC5
    PID: 1996 (1696) C:\WINDOWS\AGRSMMSG.exe
    size: 88358
    MD5: B2ED4020EE2A9446649CE6B0A918C91C
    PID: 2012 (1696) C:\WINDOWS\system32\TCtrlIOHook.exe
    size: 28672
    MD5: 6DC30391666EB94DCB44A17B86CC66CD
    PID: 2056 (1696) C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    size: 188416
    MD5: B4ADEF014D8F76D9576682501EE0A548
    PID: 2076 (1696) C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    size: 483328
    MD5: 78FF388FD58CE0BAE1F7C9670F5473C1
    PID: 2080 (1964) C:\WINDOWS\system32\TPSBattM.exe
    size: 45056
    MD5: B4759DB67BDE87D4FC8C2A9722714B96
    PID: 2092 (1696) C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
    size: 897089
    MD5: AECE26628485F6A3B30DFACC783646F2
    PID: 2108 (1696) C:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 24232996A38C0B0CF151C2140AE29FC8
    PID: 2116 (1696) C:\Program Files\Messenger\msmsgs.exe
    size: 1694208
    MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
    PID: 2440 (1696) C:\Program Files\palmOne\Hotsync.exe
    size: 471040
    MD5: F8FB2CA91F25D3EAA2CAE2F0B55FEC54
    PID: 2452 (1696) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    size: 147456
    MD5: 032A9526B5CF926AB9E5177C58E08816
    PID: 2464 (1696) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    size: 28672
    MD5: CA7E928C4A34F10898C941B05968BE6F
    PID: 2492 (1696) C:\WINDOWS\system32\RAMASST.exe
    size: 155648
    MD5: 5648152AD2CCAB0265EAB9711755F484
    PID: 2708 ( 912) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    size: 286720
    MD5: 30E7DC99FCD2C6D7B488B939B9F16A23
    PID: 3308 ( 660) C:\WINDOWS\system32\HPZipm12.exe
    size: 65795
    MD5: FB03F341FF5380394BF2EE52F1979925
    PID: 4020 (2708) C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    size: 311296
    MD5: 52A6DA50805A81EC92F26BECB1B3FDFF
    PID: 4044 (1696) C:\Program Files\Internet Explorer\iexplore.exe
    size: 93184
    MD5: E7484514C0464642BE7B4DC2689354C8
    PID: 3712 (1696) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    size: 4393096
    MD5: 09CA174A605B480318731E691DC98539
    PID: 432 (1696) C:\Program Files\MSN Messenger\msnmsgr.exe
    size: 7094272
    MD5: B83E12B5341C5DCECC5C217A824FFEB1
    PID: 4 ( 0) System

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default continued...

    --- Browser start & search pages list ---
    Spybot - Search & Destroy browser pages report, 11/12/2006 4:40:44 PM

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
    http://search.msn.com/spbasic.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.americadownunder.com/
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://www.google.com/ie
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
    http://www.google.com/search?q=%s
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 3: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 4: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A5D1EE6-5706-4135-B6ED-C0EF1EF463A7}] SEQPACKET 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A5D1EE6-5706-4135-B6ED-C0EF1EF463A7}] DATAGRAM 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FF6313DA-577A-4CEE-96E6-6A548EE158E6}] SEQPACKET 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FF6313DA-577A-4CEE-96E6-6A548EE158E6}] DATAGRAM 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C8F7521A-B26D-48DF-A5E8-2507D9C8E4A3}] SEQPACKET 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C8F7521A-B26D-48DF-A5E8-2507D9C8E4A3}] DATAGRAM 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8FDE322D-DC32-42A6-AA2B-D4D5FB91A3F2}] SEQPACKET 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8FDE322D-DC32-42A6-AA2B-D4D5FB91A3F2}] DATAGRAM 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A49A39F1-48DC-4B67-85D9-90AFD43FE702}] SEQPACKET 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A49A39F1-48DC-4B67-85D9-90AFD43FE702}] DATAGRAM 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{053F2465-F29B-4BCE-83CF-6E56B489E606}] SEQPACKET 5
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{053F2465-F29B-4BCE-83CF-6E56B489E606}] DATAGRAM 5
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{31518CB7-A236-4D11-9EB9-98834DD8D75B}] SEQPACKET 6
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{31518CB7-A236-4D11-9EB9-98834DD8D75B}] DATAGRAM 6
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Namespace Provider 0: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 1: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

    Namespace Provider 2: Network Location Awareness (NLA) Namespace
    GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: NLA-Namespace

  3. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default Hijack this..

    Logfile of HijackThis v1.99.1
    Scan saved at 4:51:32 PM, on 11/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ACS.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americadownunder.com/
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [HPLJ Config] c:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p COM1: -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O5 "LPT1:" /M "Stylus C45"
    O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB003" /M "Stylus C45"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE" /nosplash /minimized
    O4 - HKCU\..\Run: [WinMedia] "C:\DOCUME~1\KYLELO~1\LOCALS~1\Temp\39B28610500.exe "
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: C:\WINDOWS\system32\syst4.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: wSXXXtkU - {2E9BCED6-8431-647C-AAD1-578C60E3EA3D} - C:\WINDOWS\system32\nnwi.dll (file missing)
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Welcome

    Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
    (exact spelling counts!!! so dont browse to the files)
    Copy/Paste the bolded line below into the File name box then click Open,
    C:\DOCUME~1\KYLELO~1\LOCALS~1\Temp\39B28610500.exe
    Answer No to the prompt to reboot the PC
    do the same for each of these files one at a time
    C:\WINDOWS\system32\syst4.dll
    C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

    After that last file Answer YES to the prompt to reboot the PC


    Once windows has restarted Start Hijackthis and place a check next to these items If there.
    O4 - HKCU\..\Run: [WinMedia] "C:\DOCUME~1\KYLELO~1\LOCALS~1\Temp\39B28610500.exe "
    O20 - AppInit_DLLs: C:\WINDOWS\system32\syst4.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: wSXXXtkU - {2E9BCED6-8431-647C-AAD1-578C60E3EA3D} - C:\WINDOWS\system32\nnwi.dll (file missing)
    ====================================
    Hit fix checked and close Hijackthis. (not to worry about a hijackthis backup error)

    Run SpyBot Check for and fix any problems found, after that update and do a full system scan with your antivirus program.

    Post a new Hijackthis log and mention any current problems
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  5. #5
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Thumbs up All gone!

    Thanks so much for your help, i scanned and it didnt find anything wrong!! appreciate it a lot, here is the hijack this log after it is gone..anything else...if not thanks heaps!! and hope we dont have to do this again

    Kyle



    Logfile of HijackThis v1.99.1
    Scan saved at 1:54:50 PM, on 15/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ACS.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\BitTorrent\bittorrent.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americadownunder.com/
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [HPLJ Config] c:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p COM1: -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O5 "LPT1:" /M "Stylus C45"
    O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB003" /M "Stylus C45"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE" /nosplash /minimized
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1166053177421
    O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://camera3.gnax.net/activex/AMC.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Looks ok but are there any problems to report ?

    Lets get Another opinion, Panda ActiveScan-Free online scanner,
    http://www.pandasoftware.com/products/activescan.htm
    Do a full scan > Click the my computer button
    After the scan click see report then Save the report and post it back here please.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  7. #7
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Glad we could help, as the problem appears to be resolved this topic has been archived.

    If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

    Anyone else with similar problems please start a new topic.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •