Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

it started with virtumonde...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

it started with virtumonde...

Unread postby geolink » November 3rd, 2007, 4:38 am

Hi. I've been working on a friend's laptop for a couple of weeks, trying to rid it of multiple infections. Virtumonde seemed to be the biggest culprit at first, though I've used many virus/spyware/malware tools since and have found many more infections.

I've run combofix, a2free, adaware, spybot, avg75free, norton, superantispyware, and a couple of tools specifically to remove virtumonde. The laptop seems to be running MUCH better now, but I'd like to be sure it's completely clean.

I'd be most grateful if someone could have a look and let me know if they see any remaining threats.

I'll post the combofix and a2 logs along with the latest HJT log that I have, plus whatever you'd like to review.

Thanks!
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am
Advertisement
Register to Remove

Hijack This log - Thanks for helping!

Unread postby geolink » November 3rd, 2007, 2:27 pm

(forgot to post this log in my first post)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:59 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Adsense Helper Object - {18FA53D3-B7A8-4309-8045-D43D6AA2DCE9} - C:\Program Files\Adsense Helper Object\aho.v5.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {92034D6B-8380-DF25-D90B-82ADDCE52796} - C:\WINDOWS\System32\wmgrcxl.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Zrdvei] "C:\Program Files\Common Files\??stem32\?pool32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Osus] "C:\DOCUME~1\MARYAN~1\MYDOCU~1\SCURIT~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1587656472
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 9492 bytes
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am

Unread postby Katana » November 3rd, 2007, 6:53 pm

Hi geolink and welcome to the forums :)

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Please can you post the ComboFix Log as well
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geolink » November 3rd, 2007, 7:56 pm

Here's the Uninstall list:

Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
ALPS Touch Pad Driver
ArcSoft Software Suite
a-squared Free 3.0
AT&T Connection Services Manager
Atheros Client Utility
Atheros Wireless LAN MiniPCI card Driver
AVG Anti-Spyware 7.5
CC_ccStart
ccCommon
CD/DVD Drive Acoustic Silencer
DVD-RAM Driver
EarthLink Software
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD for Toshiba
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
Mozilla Firefox (2.0.0.9)
MSRedist
MSXML 4.0 SP2 (KB936181)
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Notebook Maximizer
Quicken 2004
QuickTime
RealPlayer Basic
Roxio Burn Engine
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Shockwave
SigmaTel AC97 Audio Drivers
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
The Print Shop 20
The Print Shop Business Card Creator
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
TOSHIBA Fax Extension
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
TOSHIBA Zooming Utility
Touch and Launch
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

ComboFix listing (from last night; have done more cleanup since this scan):

ComboFix 07-11-01.2 - Mary Anne 2007-11-02 1:05:50.1 - NTFSx86
Running from: C:\Documents and Settings\Mary Anne\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mary Anne\My Documents\SCURIT~1
C:\Documents and Settings\Mary Anne\My Documents\SCURIT~1\s?curity\
C:\Program Files\Common Files\stem32~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\smante~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-02 01:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 22:44 <DIR> d-------- C:\Documents and Settings\Mary Anne\Application Data\AVG7
2007-10-24 22:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-24 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-24 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-24 22:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-24 22:16 <DIR> d-------- C:\Program Files\SymNetDrv
2007-10-23 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-23 00:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-23 00:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-23 00:42 <DIR> d-------- C:\Documents and Settings\Mary Anne\Application Data\SUPERAntiSpyware.com
2007-10-23 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-23 00:33 <DIR> d-------- C:\Temp\Tmp___30167
2007-10-23 00:33 <DIR> d-------- C:\Temp
2007-10-22 23:49 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-22 23:49 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-22 23:49 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-22 23:49 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-22 23:49 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-22 23:49 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-22 23:49 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-22 23:49 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-22 23:38 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-10-22 22:51 <DIR> d-------- C:\Program Files\Adsense Helper Object
2007-10-22 21:55 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-22 21:55 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-22 21:55 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-22 21:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-22 21:09 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-22 21:09 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-22 21:08 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-22 21:08 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-22 20:58 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-22 00:44 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-22 00:44 <DIR> d-------- C:\WINDOWS\peernet
2007-10-22 00:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-22 00:31 <DIR> d-------- C:\WINDOWS\EHome
2007-10-22 00:14 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-10-22 00:05 <DIR> d-------- C:\Documents and Settings\tom\WINDOWS
2007-10-22 00:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\toshiba
2007-10-22 00:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\Symantec
2007-10-22 00:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\InterVideo
2007-10-22 00:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\InterTrust
2007-10-21 23:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-21 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-21 23:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-21 23:19 0 --a------ C:\Firefox Setup 2.0.0.8.exe
2007-10-21 22:23 <DIR> d-------- C:\WINDOWS\pss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 08:14 --------- d-----w C:\Program Files\EarthLink TotalAccess
2007-10-25 08:03 --------- d-----w C:\Program Files\Common Files\EarthLink
2007-10-25 06:49 --------- d-----w C:\Program Files\Java
2007-10-25 05:31 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-10-25 05:16 --------- d-----w C:\Program Files\Symantec
2007-10-25 05:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 07:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 07:20 --------- d-----w C:\Program Files\Napster
2007-10-23 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-23 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-22 07:06 --------- d-----w C:\Program Files\Web Publish
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18FA53D3-B7A8-4309-8045-D43D6AA2DCE9}]
2007-10-22 22:51 26112 --a------ C:\Program Files\Adsense Helper Object\aho.v5.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92034D6B-8380-DF25-D90B-82ADDCE52796}]
C:\WINDOWS\System32\wmgrcxl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 16:16]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 14:47]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 13:45]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 18:00]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 07:30]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 08:39]
"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 08:37]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 14:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-07 11:36]
"TPSMain"="TPSMain.exe" [2004-03-03 12:57 C:\WINDOWS\system32\TPSMain.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 14:15 C:\WINDOWS\system32\TFNF5.exe]
"TFncKy"="TFncKy.exe" []
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 16:01]
"NDSTray.exe"="NDSTray.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-01-26 19:03]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-26 19:03]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-26 01:04]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 16:46]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 11:20 C:\WINDOWS\agrsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-24 22:16]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 22:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 03:24]
"Zrdvei"="C:\Program Files\Common Files\??stem32\?pool32.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Osus"="C:\DOCUME~1\MARYAN~1\MYDOCU~1\SCURIT~1\regsvr32.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 15:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-03-03 04:00:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Mary Anne.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2007-11-02 08:38:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 01:17:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 1:39:59 - machine was rebooted
.
--- E O F ---


Thanks!
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am

Unread postby Katana » November 3rd, 2007, 8:59 pm

Ok, you may have to repeat some of the steps you have done so that I can see the logs.

Firstly, Norton AntiVirus 2004 ---- Is there a current subscription for this ?
ie. is it still being paid for and upto date with virus definitions ?

These programs need removing
Java 2 Runtime Environment, SE v1.4.2_03 << just uninstall via add remove
Spybot - Search & Destroy << download the latest version then uninstall this one.


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    Code: Select all
    File::
    C:\WINDOWS\System32\wmgrcxl.dll
    
    DirLook::
    C:\WINDOWS\provisioning
    C:\WINDOWS\peernet
    C:\WINDOWS\EHome
    
    Folder::
    C:\Program Files\Adsense Helper Object
    C:\Temp\Tmp___30167
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18FA53D3-B7A8-4309-8045-D43D6AA2DCE9}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92034D6B-8380-DF25-D90B-82ADDCE52796}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Zrdvei"=-
    "Osus"=-
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply (you may need more than one post )
  • The new ComboFix log
  • Kaspersky log
  • A fresh HJT log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geolink » November 5th, 2007, 4:03 am

Hi, Katana. Here you go:

My friend had not updated Norton. I was going to wait until this laptop was clean before renewing her subscription, or possibly opt for a different product. I did install the latest AVG Free on it and ran several scans before this.

I did install the latest version of Spybot S&D. I checked my version against what's available and it's the same version. Did you see something that made you think it's not?

I did uninstall the Java program as you asked.

Here are the new logs.

Thanks!



ComboFix 07-11-01.2 - Mary Anne 2007-11-04 22:03:21.2 - NTFSx86
Running from: C:\Documents and Settings\Mary Anne\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mary Anne\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\System32\wmgrcxl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Program Files\Adsense Helper Object
C:\Program Files\Adsense Helper Object\aho.v5.dll
C:\Temp\Tmp___30167
C:\Temp\Tmp___30167\CSICore.dll
C:\Temp\Tmp___30167\CSIGUI.dll
C:\Temp\Tmp___30167\PrevxCSI.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-03 14:10 <DIR> d-------- C:\Documents and Settings\Mary Anne\Application Data\Grisoft
2007-11-03 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-03 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-02 23:10 <DIR> d-------- C:\Program Files\a-squared Free
2007-11-02 22:26 <DIR> d-------- C:\Documents and Settings\Mary Anne\.housecall6.6
2007-11-02 21:54 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-02 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-02 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-02 00:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2007-10-24 21:16 <DIR> d-------- C:\Program Files\SymNetDrv
2007-10-23 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-22 23:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-22 23:42 <DIR> d-------- C:\Documents and Settings\Mary Anne\Application Data\SUPERAntiSpyware.com
2007-10-22 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-22 23:33 <DIR> d-------- C:\Temp
2007-10-22 22:49 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-22 22:49 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-22 22:49 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-22 22:49 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-22 22:49 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-22 22:49 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-22 22:49 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-22 22:49 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-22 22:38 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-10-22 20:55 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-22 20:55 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-22 20:55 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-22 20:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-22 20:09 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-22 20:09 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-22 20:08 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-22 20:08 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-22 19:58 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-21 23:44 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-21 23:44 <DIR> d-------- C:\WINDOWS\peernet
2007-10-21 23:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-21 23:31 <DIR> d-------- C:\WINDOWS\EHome
2007-10-21 23:14 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-10-21 23:05 <DIR> d-------- C:\Documents and Settings\tom\WINDOWS
2007-10-21 23:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\toshiba
2007-10-21 23:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\Symantec
2007-10-21 23:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\InterVideo
2007-10-21 23:05 <DIR> d-------- C:\Documents and Settings\tom\Application Data\InterTrust
2007-10-21 22:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-21 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-21 22:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-21 22:19 0 --a------ C:\Firefox Setup 2.0.0.8.exe
2007-10-21 21:23 <DIR> d-------- C:\WINDOWS\pss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 08:41 --------- d-----w C:\Program Files\EarthLink TotalAccess
2007-10-25 08:03 --------- d-----w C:\Program Files\Common Files\EarthLink
2007-10-25 06:49 --------- d-----w C:\Program Files\Java
2007-10-25 05:31 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-10-25 05:16 --------- d-----w C:\Program Files\Symantec
2007-10-25 05:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 07:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 07:20 --------- d-----w C:\Program Files\Napster
2007-10-23 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-23 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-22 07:06 --------- d-----w C:\Program Files\Web Publish
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\EHome ----

2006-04-22 22:13 112 --a------ C:\WINDOWS\EHome\medctrro.cmd

---- Directory of C:\WINDOWS\peernet ----

2004-08-03 23:56 462848 --------- C:\WINDOWS\peernet\sqlqp20.dll
2004-08-03 23:56 151552 --------- C:\WINDOWS\peernet\sqldb20.dll
2004-08-03 23:56 110592 --------- C:\WINDOWS\peernet\sqlse20.dll

---- Directory of C:\WINDOWS\provisioning ----

2004-07-17 10:35 9924 --------- C:\WINDOWS\provisioning\schemas\flashconfigdevice.xdr
2004-07-17 10:35 861 --------- C:\WINDOWS\provisioning\schemas\mschapv2userpropertiesv1.xdr
2004-07-17 10:35 732 --------- C:\WINDOWS\provisioning\schemas\help.xdr
2004-07-17 10:35 698 --------- C:\WINDOWS\provisioning\schemas\mspeapuserpropertiesv1.xdr
2004-07-17 10:35 689 --------- C:\WINDOWS\provisioning\schemas\eapconnectionpropertiesv1.xdr
2004-07-17 10:35 580 --------- C:\WINDOWS\provisioning\schemas\baseeapuserpropertiesv1.xdr
2004-07-17 10:35 520 --------- C:\WINDOWS\provisioning\schemas\baseeapconnectionpropertiesv1.xdr
2004-07-17 10:35 4089 --------- C:\WINDOWS\provisioning\schemas\flashconfig.xdr
2004-07-17 10:35 395 --------- C:\WINDOWS\provisioning\schemas\mschapv2connectionpropertiesv1.xdr
2004-07-17 10:35 378 --------- C:\WINDOWS\provisioning\schemas\eapuserpropertiesv1.xdr
2004-07-17 10:35 2459 --------- C:\WINDOWS\provisioning\schemas\masterfile.xdr
2004-07-17 10:35 22405 --------- C:\WINDOWS\provisioning\schemas\wizard.xdr
2004-07-17 10:35 2036 --------- C:\WINDOWS\provisioning\schemas\wirelessprofile.xdr
2004-07-17 10:35 1911 --------- C:\WINDOWS\provisioning\schemas\mspeapconnectionpropertiesv1.xdr
2004-07-17 10:35 1721 --------- C:\WINDOWS\provisioning\schemas\locations.xdr
2004-07-17 10:35 1673 --------- C:\WINDOWS\provisioning\schemas\ssid.xdr
2004-07-17 10:35 1426 --------- C:\WINDOWS\provisioning\schemas\branding.xdr
2004-07-17 10:35 1032 --------- C:\WINDOWS\provisioning\schemas\register.xdr


((((((((((((((((((((((((((((( snapshot@2007-11-02_ 1.18.37.72 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-17 08:00:00 97,776 ----a-w C:\WINDOWS\Downloaded Program Files\scrauth.dat
+ 2007-10-17 08:00:00 399,048 ----a-w C:\WINDOWS\Downloaded Program Files\tcdefs.dat
+ 2007-10-17 08:00:00 1,884,336 ----a-w C:\WINDOWS\Downloaded Program Files\tcscan7.dat
+ 2007-10-17 08:00:00 404,496 ----a-w C:\WINDOWS\Downloaded Program Files\tcscan8.dat
+ 2007-10-17 08:00:00 943,865 ----a-w C:\WINDOWS\Downloaded Program Files\tcscan9.dat
+ 2007-10-17 08:00:00 67,815 ----a-w C:\WINDOWS\Downloaded Program Files\tscan1.dat
+ 2007-10-17 08:00:00 3,240 ----a-w C:\WINDOWS\Downloaded Program Files\tscan1hd.dat
+ 2007-10-17 08:00:00 995,007 ----a-w C:\WINDOWS\Downloaded Program Files\virscan1.dat
+ 2007-10-17 08:00:00 570,900 ----a-w C:\WINDOWS\Downloaded Program Files\virscan2.dat
+ 2007-10-17 08:00:00 150,392 ----a-w C:\WINDOWS\Downloaded Program Files\virscan3.dat
+ 2007-10-17 08:00:00 320,253 ----a-w C:\WINDOWS\Downloaded Program Files\virscan4.dat
+ 2007-10-17 08:00:00 4,746,945 ----a-w C:\WINDOWS\Downloaded Program Files\virscan5.dat
+ 2007-10-17 08:00:00 391,835 ----a-w C:\WINDOWS\Downloaded Program Files\virscan6.dat
+ 2007-10-17 08:00:00 12,813,258 ----a-w C:\WINDOWS\Downloaded Program Files\virscan7.dat
+ 2007-10-17 08:00:00 1,834,116 ----a-w C:\WINDOWS\Downloaded Program Files\virscan8.dat
+ 2007-10-17 08:00:00 5,140,808 ----a-w C:\WINDOWS\Downloaded Program Files\virscan9.dat
- 2007-10-23 06:27:59 54,478 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-05 05:44:36 54,478 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-23 06:27:59 384,834 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-05 05:44:37 384,834 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-23 01:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-23 02:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 15:16]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 13:47]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-03-02 12:45]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 17:00]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 06:30]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 07:39]
"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 07:37]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2004-02-25 13:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-07 10:36]
"TPSMain"="TPSMain.exe" [2004-03-03 11:57 C:\WINDOWS\system32\TPSMain.exe]
"TFNF5"="TFNF5.exe" [2003-12-02 13:15 C:\WINDOWS\system32\TFNF5.exe]
"TFncKy"="TFncKy.exe" []
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 15:01]
"NDSTray.exe"="NDSTray.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-01-26 18:03]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-26 18:03]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-26 00:04]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 15:46]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 10:20 C:\WINDOWS\agrsmmsg.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 C:\WINDOWS\system32\000StTHK.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-24 21:16]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 02:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 14:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-03-03 04:00:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Mary Anne.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2007-11-05 06:08:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 22:08:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04 22:13:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-02 00:39
.
--- E O F ---







-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 04, 2007 11:51:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/11/2007
Kaspersky Anti-Virus database records: 451678
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 57014
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:56:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mary Anne\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\cert8.db Object is locked skipped
C:\Documents and Settings\Mary Anne\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\history.dat Object is locked skipped
C:\Documents and Settings\Mary Anne\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\key3.db Object is locked skipped
C:\Documents and Settings\Mary Anne\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\parent.lock Object is locked skipped
C:\Documents and Settings\Mary Anne\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Mary Anne\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Mary Anne\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Application Data\Mozilla\Firefox\Profiles\qxfqfpi0.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Temp\~DF79F4.tmp Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Temp\~DF80A5.tmp Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mary Anne\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mary Anne\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mary Anne\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\40E07F19.t$m Infected: Trojan.Java.ClassLoader.d skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C5865CF0-8F95-49F0-8B2D-414EBEF542AC}\RP209\A0037523.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{C5865CF0-8F95-49F0-8B2D-414EBEF542AC}\RP209\A0037533.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{C5865CF0-8F95-49F0-8B2D-414EBEF542AC}\RP221\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB830680$\keymgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:42 AM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1587656472
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 9649 bytes


Thanks again!
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am

Unread postby Katana » November 5th, 2007, 9:16 am

geolink wrote:My friend had not updated Norton. I was going to wait until this laptop was clean before renewing her subscription, or possibly opt for a different product. I did install the latest AVG Free on it and ran several scans before this.

I did install the latest version of Spybot S&D. I checked my version against what's available and it's the same version. Did you see something that made you think it's not?



Regarding Spybot, to be honest it was a shot in the dark based on the age of the Norton and Java installs :)
If you downloaded the latest version, that is fine.

Regarding Norton personally I would opt for the different product :)
If you decide to remove Norton, then as long as there are no other Norton/Symantec products being used, I would recommend the use of the removal tool.
Click HERE and follow the instructions to download and run the norton removal tool.

If you remove Norton you will need an Antivirus, and a Firewall.

Free AV list
AVG Free
Avira AntiVir
Avast

Firewall
You may be using Windows firewall, however this only stops incoming traffic.
A third party firewall is much safer, as it stops malware that does get on your PC from contacting "home"
Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
There are many free ones to choose from if cost is a problem. Visit here to choose one.


I use AVG AntiVirus and Comodo firewall on my machine, and am happy with their performance.

Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available.
If you have the paid version of Adobe please ignore this.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geolink » November 5th, 2007, 4:22 pm

Hi, Katana. Thanks for the AV and firewall advice. I'm fine with purchasing software for her, so I'll gladly dump Norton for the AVG product. As for firewall software, I haven't heard of Comodo but will check it out. What are your thoughts about anti-spy/malware software? I'm most familiar with Ad-aware and Spybot but am not familiar with their paid-for products. Any other/better recommendations?

I'll go ahead and update her Adobe Reader and generate and post another HJT log (with the settings you mentioned).

The laptop seems much better now, thanks so much for your help.

By the way, my name's Tom and I'm in northern California.

Thanks again.
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am

Unread postby Katana » November 5th, 2007, 5:06 pm

Hi Tom :)
My personal opinion is that no single antispyware application will get everything.
It is better to have one as a real time scanner and then another one or two that get used "on demand".
The ones showing in that install list are good enough
Ad-Aware 2007
a-squared Free 3.0
AVG Anti-Spyware 7.5
Spybot - Search & Destroy

All good applications, I have them installed on my box and use them on a regular basis.
In general the only difference between the paid and free versions is that the paid version will run a scan automatically and download new updates automatically.
If you are prepared to spend a few minutes of your time updating the scanner and then starting a scan, the free version is quite adequate.
I generally update and set a scan running before I go to bed :)

I would also recommend Winpatrol, it is a startup manager (and then some:) )
http://www.winpatrol.com/
With that running in the background, it will alert you if anything tries to add itself as a startup program.
It lets you easily choose when or if a program starts when you boot your machine.
Another good line of defense is FireFox with AdBlocker and NoScript addons. They will stop most of the "drive by" infections :lol:
Post that log and any other questions you have :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geolink » November 5th, 2007, 6:35 pm

Ok, here's a system scan HJT log, plus a full system log. I've uninstalled Norton and will reinstall AVG Free for the moment and probably purchase their full version. I'll check out the firewall software and install one. Same for antimalware software. Right now I've got AVG's program running, the free version.

Oh, and I did the HJT Fix step.

Here are the logs:

Thanks!

========= SYSTEM SCAN ONLY ========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:54 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1587656472
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 8116 bytes



================== (FULL SCAN)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:07 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1587656472
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 8149 bytes
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am

Unread postby Katana » November 5th, 2007, 6:48 pm

Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Image
You can also delete any logs we have produced.

Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer

Turn ON System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.


Also PLEASE read this article

So How Did I Get Infected In The First Place

If you can see a program in the must have section that you have never seen or used then get it!

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geolink » November 5th, 2007, 7:56 pm

Thanks, K. I'll finish the cleanup this evening and let you know when it's done.

I'll also pass along the article and tips to the laptop's owner. I'll probably purchase AVG's all-in-one protection, just to keep it simple for her. (I don't think she's likely to update that often on her own.)

Thanks again for your help!

Tom
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am

Unread postby Katana » November 5th, 2007, 8:18 pm

geolink wrote:Thanks, K. I'll finish the cleanup this evening and let you know when it's done.

I'll also pass along the article and tips to the laptop's owner. I'll probably purchase AVG's all-in-one protection, just to keep it simple for her. (I don't think she's likely to update that often on her own.)

Thanks again for your help!

Tom


A pleasure :)

If you suspect the that the owner isn't likely to update often, you could always point out to her that 99% of modern malware is designed to get money.
Long gone are the days when it was just a school kid that was making a nuisance of him/herself.
That popup she sees when she goes online may just be an advert, or it could just as well be a password stealer.
The internet is not a safe place anymore ( if it ever was ).
You need to stress to her the importance of staying updated, and running regular malware scans.

Sorry if that sounds like a rant, but the amount of people we have to inform that they need to contact their banks about possible fraud would make your toes curl.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby geolink » November 5th, 2007, 8:40 pm

I agree with you on all counts! <g> And I'll advise her appropriately.

Thanks,

Tom
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am

Unread postby geolink » November 8th, 2007, 3:03 pm

Ok, Katana. All seems to be well. I installed the paid AVG combo product for her (AV, AntiMalware, Firewall) and stressed to her the importance of keeping up-to-date and being forever vigilant. <g>

You mentioned that you'd be archiving this topic. Will I be able to find it again for future reference?

Thanks so much again for all your help!

Tom
geolink
Active Member
 
Posts: 9
Joined: November 3rd, 2007, 4:25 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 393 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware