Not sure if this post belongs here (or) in New and Undetected

[denverguy]

Cross-posted here in the Malware forum and the New and Undetected Forum. Sorry - wasn't sure under what category this issue fell into.

Hi all,

First things first - wish you a Merry Christmas and a Happy New Year.

Now for the reason that I am here

I did something really stupid last night and clicked on a .exe file that I received yesterday. Almost immediately, my Windows Firewall as turned off and I could not restart is despite many tries. Additionally, my other firewall, EZFirewall (that came installed with my Toshiba laptop) was also disabled.

After this, I found out that my command prompt refuses to run (I get a "Admin has disabled this feature" message, regedit refuses to start, my disk recovery doesn't work, and most worryingly, my Windows XP install DVD (from Toshiba's original XP recovery pack) just refuses to run despite changing the boot order (and all that good stuff)

I used Spyware Doctor and cleaned out about 120 malware/spyware programs. However, my original problems still persisted. Next, I usd Spybot-S&D (with latest definitions) and removed a further 18 malware programs. Now, my EZ Firewall is working finally but the rest of the usses still remain.

I don't have access to CMD or regedit or system utilities or ability to install from the XP DVD (which I tried in a desperate attempt to format my hard disk).

Please help me as I am at my wit's end. Thank you and I appreciate you taking the time to help us out on this Christmas Day.

My laptop's specs are

Toshiba L15 Satellite
Win XP SP 2
700+ RAM
40 Gigs HDD
Browsers: IE 6.0 and Opera 8.01
AV: Symantec Personal Edition
Firewalls: EZ Firewall
Other programs installed: Spybot S&D, Spyware Doctor, and Windows Defender (beta)

[tashi]

Hi denverguy.

If you can please produce a HJT log as out-lined here: "BEFORE you POST" -Preliminary Steps

Copy and Paste it into this topic and a helper will assist you as soon as available. Cheers.

[denverguy]

Thanks a lot for the reply, tashi. I appreciate it.

Just FYI - I am posting this from the same computer that is infected. This log file was generated a minute ago:

Before I did this, a few minutes ago Icompleted a scan using AVG Anti-Spyware. It removed the following infected files - Backdoor.ciadoor.13, trackingcookie.specificclick, and trackingcookie.tacoda.

After reading your response, I used HijackThis. Here is the log file that was generated using HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 12:16:21 PM, on 12/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\PNOne\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.toshibadirect.com/dpdstart
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe
F3 - REG:win.ini: load=,
F3 - REG:win.ini: run=,
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} -

C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}

- C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor -

{B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -

C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows

Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ

Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program

Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI

Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware

Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,

DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} -

C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

(no file)
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.tigermail.auburn.edu
O15 - Trusted Zone: www.surveymonkey.com
O15 - Trusted Zone: www.ttu.edu
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) -

http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)

- https://bdo.webex.com/client/v_myweb...ex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. -

C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development

Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development

Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd

- C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS)

(SharedAccess) - Unknown owner -

C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner -

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Cor

poration - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe

Hi denverguy.

If you can please produce a HJT log as out-lined here: "BEFORE you POST" -Preliminary Steps

Copy and Paste it into this topic and a helper will assist you as soon as available. Cheers.

[pskelley]

Welcome to the forum, you said you did read these instructions:
http://forums.spybot.info/showthread.php?t=288 Please read those instructions again you seems to have missed some of them.

Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
It is preferable, and the log easier to read, if you do not use the [code] or [php] options.

There is no need to copy or quote the instructions we post, we both can scroll back to view them.

You are running MSConfig in Selective Startup mode. Start > Run > type "msconfig" without the quotes and OK. On the General tab choose "Normal Startup" then Apply and OK your way out. You may return to Selective Startup to save your resources once we finish.

1) Run an on-line Anti Virus scan.
Choose one of those free online scans and run it saving the results.

Since you have AVG Anti-Spyware onboard, use these instructions:
http://forums.security-central.us/showthread.php?t=3165
Run a new scan with those instructions and post the results.

Recap:
Restart the computer and post the results of the free online scan, results from AVG Anti-Spyware and a new HJT log that is not formatted and has everything enabled in MSConfig. Please describe any symptoms occuring at that time. Post any error messages you receive "word for word".

Thanks

[denverguy]

My apologies for not following the instructions.

I have changed the start up values in MSConfig and will be posting the results of the online scan, AVG scan, and a new HJT log soon. I appreciate the assistance.

Cheers.

[pskelley]

No problem and thanks for your understanding. I understand having three computers what it is like to have one sick. Take the time you need and I will respond as soon as possible after you post...Phil

[denverguy]

Thanks for the assistance, as always.

I completed the steps outlined in this morning's post and also formatted the logs as per the instructions (I removed Word Wrap). Tried to single space it on the forum here but could not do so

A word-by-word description of error messages and scan results in given below before the actual logs begin.

1. True Vector cannot be initialized for EZ Firewall.

2. Spybot-S&D has detected an important registry entry that has been changed.
Category: System startup global entry
Change: value deleted
Entry: MSConfig
Old data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\M...
New data: <blank>

Action: Registry change denied (by me)

3. Symantec anti-virus is not turned on (though I can see the icon on the system tray).

4. Spybot "Search for Updates"
Error retrieving update info file!
Socket Error # 10061: Conection Refused
Last updated on: 25-Dec-2006

I also ran Spybot-S&D on my computer in Safe Mode and it found nothing.

############Logs of Scans################

Panda Online Scan (had to install Java before the scan as it had been disabled for some odd reason)

Incident - Spyware:Cookie/2o7
Status - Not disinfected
Location - C:\Documents and Settings\PNOne\Cookies\pnone@2o7[1].txt

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:12:10 AM 12/26/2006

+ Scan result: Nothing found.

::Report end

-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:29:58 AM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\PNOne\Desktop\New Folder\HijackThis.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe
F3 - REG:win.ini: load=,
F3 - REG:win.ini: run=,
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.tigermail.auburn.edu
O15 - Trusted Zone: www.surveymonkey.com
O15 - Trusted Zone: www.ttu.edu
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bdo.webex.com/client/v_myweb...ex/ieatgpc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[pskelley]

OK, there is something going on on this computer I have not seen before. You sure have me scratching my head?
First this is the log you just posted:
Logfile of HijackThis v1.99.1 Scan saved at 10:29:58 AM, on 12/26/2006
This is the marker to indicate to me you are running MSConfig in Selective Startup mode:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
I need to see the HJT log with everything enabled, I have no way of know what may be hiding.


Please tell me if you placed these item in the "Trusted Zones"
O15 - Trusted Zone: http://www.tigermail.auburn.edu
O15 - Trusted Zone: www.surveymonkey.com
O15 - Trusted Zone: www.ttu.edu


I have never seen the Windows Firewall running like this before, what do you know about why it is running like this?
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
Look at how the files/folders are set up?

C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)

Look in your C:\Windows\ folder and find this item, then scan the file in red with one or more of these tools and post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html


Turn off TeaTimer, it will block changes:
http://russelltexas.com/malware/teatimer.htm

AVG Anti-Spyware 7.5\ Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(not sure why this is there, may have to do with something MSConfig is hiding?)

F2 - REG:system.ini: Shell=Explorer.exe
F3 - REG:win.ini: load=,
F3 - REG:win.ini: run=,

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post the information I requested and a HJT log that has the Microsoft Configuration Utility running in Normal Mode.


http://www.pcanswers.co.uk/tips/defa...bsectionid=616
See this information, to my knowledge true vector deals with Zone Alarm. You mention EZ Firewall. What firewall are you running on this computer?

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Looks like you may be running them both, please uninstall one of those Firewalls before you post the next HJT log.


Thanks

[tashi]

Still with us denverguy?

[tashi]

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.